In this class you are matching: class-map match-any SSH match ip dscp cs2
Why not just match an ACL for SSH traffic from the local router back to your management range? > From: khomyakov.and...@gmail.com > Date: Mon, 29 Jul 2013 12:07:19 -0400 > Subject: management traffic QoS on Tunnel interfaces > To: nanog@nanog.org > > Hi all, > I have been trying to come up with a qos policy (or rather where to apply > it) for reserving some bandwidth for management traffic to the local router > The setup is that a remote route is a spoke to a DMVPN network, thus has a > couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). > I have no issue working out service policy for transiting traffic, however, > I can't wrap my head around how to reserve some bandwidth for the locally > originated SSH traffic (managing the router). > > I'd like to mark ssh response packets from the local router (1.1.1.1) with > CS2,so i can match them in the tunnel policy shown below. > > Has anyone come across this task before? > > interface Loopback0 > ip address 1.1.1.1 255.255.255.255 > > interface Tunnel0 > ip address 2.2.2.2 255.255.255.0 > qos pre-classify > <snip> > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel protection ipsec profile protect-gre shared > ! > interface FastEthernet0/0 > desc DSL/Cable/FiOS > ip address 3.3.3.3 255.255.255.0 > bandwidth 768 > bandwidth receive 1500 > service-policy output SHAPE-OUT-768 > ! > class-map match-any SSH > match ip dscp cs2 > ! > policy-map SHAPE-OUT-768 > class class-default > shape average 768000 > service-policy SSH > ! > service-policy SSH > class SSH > bandwidth percent 5 > class class-default > fair-queue > queue-limit 15 packets > > > > --Andrey