management traffic QoS on Tunnel interfaces

Hi all,
I have been trying to come up with a qos policy (or rather where to apply
it) for reserving some bandwidth for management traffic to the local router
The setup is that a remote route is a spoke to a DMVPN network, thus has a
couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
I have no issue working out service policy for transiting traffic, however,
I can't wrap my head around how to reserve some bandwidth for the locally
originated SSH traffic (managing the router).

I'd like to mark ssh response packets from the local router ( with
CS2,so i can match them in the tunnel policy shown below.

Has anyone come across this task before?

interface Loopback0
ip address

interface Tunnel0
ip address
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared
interface FastEthernet0/0
desc DSL/Cable/FiOS
ip address
bandwidth 768
bandwidth receive 1500
service-policy output SHAPE-OUT-768
class-map match-any SSH
match ip dscp cs2
policy-map SHAPE-OUT-768
class class-default
shape average 768000
service-policy SSH
service-policy SSH
class SSH
   bandwidth percent 5
class class-default
   queue-limit 15 packets


In this class you are matching:

class-map match-any SSH
match ip dscp cs2

Why not just match an ACL for SSH traffic from the local router back to your management range?

Newer IOS support setting precedence or DSCP for outbound SSH:

ip ssh prec 2



My understanding that qos-preclassify will only copy ToS header from
original packet to encrypted packet. Since service-policy is applied to the
physical interface and is looking at already encrypted traffic, ACLs won't
see the original source/destination


Looks like exactly what I'm looking for, but for some reason doesn't work.
Below produces 0 packet match.

ip ssh prec 2

class-map match-any SSH
match ip dscp cs2
match ip precedence 2

As a test I also tried this:

ip access-list extended Management_Access
remark Play nice with router management traffic
permit tcp any range 22 telnet any
permit tcp any any range 22 telnet

class-map match-any management
match access-group name Management_Access

policy-map Mark-Local-SSH
class management
  set ip dscp cs2

ip local policy route-map Mark-Local-SSH

On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path.