Darren, My understanding that qos-preclassify will only copy ToS header from original packet to encrypted packet. Since service-policy is applied to the physical interface and is looking at already encrypted traffic, ACLs won't see the original source/destination Andrey
--Andrey On Mon, Jul 29, 2013 at 12:31 PM, Darren O'Connor <darre...@outlook.com>wrote: > In this class you are matching: > > class-map match-any SSH > match ip dscp cs2 > > Why not just match an ACL for SSH traffic from the local router back to your > management range? > > > > > From: khomyakov.and...@gmail.com > > Date: Mon, 29 Jul 2013 12:07:19 -0400 > > Subject: management traffic QoS on Tunnel interfaces > > To: nanog@nanog.org > > > > > Hi all, > > I have been trying to come up with a qos policy (or rather where to apply > > it) for reserving some bandwidth for management traffic to the local > router > > The setup is that a remote route is a spoke to a DMVPN network, thus has > a > > couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). > > I have no issue working out service policy for transiting traffic, > however, > > I can't wrap my head around how to reserve some bandwidth for the locally > > originated SSH traffic (managing the router). > > > > I'd like to mark ssh response packets from the local router (1.1.1.1) > with > > CS2,so i can match them in the tunnel policy shown below. > > > > Has anyone come across this task before? > > > > interface Loopback0 > > ip address 1.1.1.1 255.255.255.255 > > > > interface Tunnel0 > > ip address 2.2.2.2 255.255.255.0 > > qos pre-classify > > <snip> > > tunnel source FastEthernet0/0 > > tunnel mode gre multipoint > > tunnel protection ipsec profile protect-gre shared > > ! > > interface FastEthernet0/0 > > desc DSL/Cable/FiOS > > ip address 3.3.3.3 255.255.255.0 > > bandwidth 768 > > bandwidth receive 1500 > > service-policy output SHAPE-OUT-768 > > ! > > class-map match-any SSH > > match ip dscp cs2 > > ! > > policy-map SHAPE-OUT-768 > > class class-default > > shape average 768000 > > service-policy SSH > > ! > > service-policy SSH > > class SSH > > bandwidth percent 5 > > class class-default > > fair-queue > > queue-limit 15 packets > > > > > > > > --Andrey >
