management traffic QoS on Tunnel interfaces

Andrey_Khomyakov · July 29, 2013, 4:07pm

Hi all,
I have been trying to come up with a qos policy (or rather where to apply
it) for reserving some bandwidth for management traffic to the local router
The setup is that a remote route is a spoke to a DMVPN network, thus has a
couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
I have no issue working out service policy for transiting traffic, however,
I can't wrap my head around how to reserve some bandwidth for the locally
originated SSH traffic (managing the router).

I'd like to mark ssh response packets from the local router (1.1.1.1) with
CS2,so i can match them in the tunnel policy shown below.

Has anyone come across this task before?

interface Loopback0
ip address 1.1.1.1 255.255.255.255

interface Tunnel0
ip address 2.2.2.2 255.255.255.0
qos pre-classify
<snip>
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared
!
interface FastEthernet0/0
desc DSL/Cable/FiOS
ip address 3.3.3.3 255.255.255.0
bandwidth 768
bandwidth receive 1500
service-policy output SHAPE-OUT-768
!
class-map match-any SSH
match ip dscp cs2
!
policy-map SHAPE-OUT-768
class class-default
shape average 768000
service-policy SSH
!
service-policy SSH
class SSH
   bandwidth percent 5
class class-default
   fair-queue
   queue-limit 15 packets

--Andrey

Darren_O_Connor · July 29, 2013, 4:31pm

In this class you are matching:

class-map match-any SSH
match ip dscp cs2

Why not just match an ACL for SSH traffic from the local router back to your management range?

Chuck_Church · July 29, 2013, 7:47pm

Newer IOS support setting precedence or DSCP for outbound SSH:

ip ssh prec 2

Thanks,

Chuck

Andrey_Khomyakov · July 29, 2013, 8:11pm

Darren,
My understanding that qos-preclassify will only copy ToS header from
original packet to encrypted packet. Since service-policy is applied to the
physical interface and is looking at already encrypted traffic, ACLs won't
see the original source/destination
Andrey

--Andrey

Andrey_Khomyakov · July 29, 2013, 9:09pm

Looks like exactly what I'm looking for, but for some reason doesn't work.
Below produces 0 packet match.

ip ssh prec 2

class-map match-any SSH
match ip dscp cs2
match ip precedence 2

As a test I also tried this:

ip access-list extended Management_Access
remark Play nice with router management traffic
permit tcp any range 22 telnet any
permit tcp any any range 22 telnet

class-map match-any management
match access-group name Management_Access

policy-map Mark-Local-SSH
class management
set ip dscp cs2

ip local policy route-map Mark-Local-SSH

Jon_Mitchell1 · July 30, 2013, 12:45am

On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path.

-Jon