On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path.
-Jon On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov <khomyakov.and...@gmail.com> wrote: > Looks like exactly what I'm looking for, but for some reason doesn't work. > Below produces 0 packet match. > > ip ssh prec 2 > > class-map match-any SSH > match ip dscp cs2 > match ip precedence 2 > > > As a test I also tried this: > > > > ip access-list extended Management_Access > remark Play nice with router management traffic > permit tcp any range 22 telnet any > permit tcp any any range 22 telnet > > class-map match-any management > match access-group name Management_Access > > policy-map Mark-Local-SSH > class management > set ip dscp cs2 > > ip local policy route-map Mark-Local-SSH > > --- > Later on this matches 0 packets in both cases > class-map match-any SSH > match ip dscp cs2 > match ip precedence 2 > > > > > > --Andrey > > > On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchu...@gmail.com> wrote: > >> Newer IOS support setting precedence or DSCP for outbound SSH: >> >> ip ssh prec 2 >> >> >> Thanks, >> >> Chuck >> >> -----Original Message----- >> From: Andrey Khomyakov [mailto:khomyakov.and...@gmail.com] >> Sent: Monday, July 29, 2013 12:07 PM >> To: Nanog >> Subject: management traffic QoS on Tunnel interfaces >> >> Hi all, >> I have been trying to come up with a qos policy (or rather where to apply >> it) for reserving some bandwidth for management traffic to the local router >> The setup is that a remote route is a spoke to a DMVPN network, thus has a >> couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). >> I have no issue working out service policy for transiting traffic, however, >> I can't wrap my head around how to reserve some bandwidth for the locally >> originated SSH traffic (managing the router). >> >> I'd like to mark ssh response packets from the local router (1.1.1.1) with >> CS2,so i can match them in the tunnel policy shown below. >> >> Has anyone come across this task before? >> >> interface Loopback0 >> ip address 1.1.1.1 255.255.255.255 >> >> interface Tunnel0 >> ip address 2.2.2.2 255.255.255.0 >> qos pre-classify >> <snip> >> tunnel source FastEthernet0/0 >> tunnel mode gre multipoint >> tunnel protection ipsec profile protect-gre shared ! >> interface FastEthernet0/0 >> desc DSL/Cable/FiOS >> ip address 3.3.3.3 255.255.255.0 >> bandwidth 768 >> bandwidth receive 1500 >> service-policy output SHAPE-OUT-768 >> ! >> class-map match-any SSH >> match ip dscp cs2 >> ! >> policy-map SHAPE-OUT-768 >> class class-default >> shape average 768000 >> service-policy SSH >> ! >> service-policy SSH >> class SSH >> bandwidth percent 5 >> class class-default >> fair-queue >> queue-limit 15 packets >> >> >> >> --Andrey >> >>