[164711] in North American Network Operators' Group
Re: management traffic QoS on Tunnel interfaces
daemon@ATHENA.MIT.EDU (Jon Mitchell)
Mon Jul 29 20:45:34 2013
In-Reply-To: <CAB31LOP0dQcKss_5tUySwVPSpuUr9p1hvgoaDFYJDWnDTOUypA@mail.gmail.com>
From: Jon Mitchell <jrmitche@puck.nether.net>
Date: Tue, 30 Jul 2013 02:45:15 +0200
To: Andrey Khomyakov <khomyakov.andrey@gmail.com>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On some platforms locally generated traffic bypasses egress intf ACL/QoS, tr=
y your test with an ACL on ingress on a diff router in the path.
-Jon
On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov <khomyakov.andrey@gmail.com> w=
rote:
> Looks like exactly what I'm looking for, but for some reason doesn't work.=
> Below produces 0 packet match.
>=20
> ip ssh prec 2
>=20
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
>=20
>=20
> As a test I also tried this:
>=20
>=20
>=20
> ip access-list extended Management_Access
> remark Play nice with router management traffic
> permit tcp any range 22 telnet any
> permit tcp any any range 22 telnet
>=20
> class-map match-any management
> match access-group name Management_Access
>=20
> policy-map Mark-Local-SSH
> class management
> set ip dscp cs2
>=20
> ip local policy route-map Mark-Local-SSH
>=20
> ---
> Later on this matches 0 packets in both cases
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
>=20
>=20
>=20
>=20
>=20
> --Andrey
>=20
>=20
> On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch@gmail.com> wrot=
e:
>=20
>> Newer IOS support setting precedence or DSCP for outbound SSH:
>>=20
>> ip ssh prec 2
>>=20
>>=20
>> Thanks,
>>=20
>> Chuck
>>=20
>> -----Original Message-----
>> From: Andrey Khomyakov [mailto:khomyakov.andrey@gmail.com]
>> Sent: Monday, July 29, 2013 12:07 PM
>> To: Nanog
>> Subject: management traffic QoS on Tunnel interfaces
>>=20
>> Hi all,
>> I have been trying to come up with a qos policy (or rather where to apply=
>> it) for reserving some bandwidth for management traffic to the local rout=
er
>> The setup is that a remote route is a spoke to a DMVPN network, thus has a=
>> couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
>> I have no issue working out service policy for transiting traffic, howeve=
r,
>> I can't wrap my head around how to reserve some bandwidth for the locally=
>> originated SSH traffic (managing the router).
>>=20
>> I'd like to mark ssh response packets from the local router (1.1.1.1) wit=
h
>> CS2,so i can match them in the tunnel policy shown below.
>>=20
>> Has anyone come across this task before?
>>=20
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.255
>>=20
>> interface Tunnel0
>> ip address 2.2.2.2 255.255.255.0
>> qos pre-classify
>> <snip>
>> tunnel source FastEthernet0/0
>> tunnel mode gre multipoint
>> tunnel protection ipsec profile protect-gre shared !
>> interface FastEthernet0/0
>> desc DSL/Cable/FiOS
>> ip address 3.3.3.3 255.255.255.0
>> bandwidth 768
>> bandwidth receive 1500
>> service-policy output SHAPE-OUT-768
>> !
>> class-map match-any SSH
>> match ip dscp cs2
>> !
>> policy-map SHAPE-OUT-768
>> class class-default
>> shape average 768000
>> service-policy SSH
>> !
>> service-policy SSH
>> class SSH
>> bandwidth percent 5
>> class class-default
>> fair-queue
>> queue-limit 15 packets
>>=20
>>=20
>>=20
>> --Andrey
>>=20
>>=20
