Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local router The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router). I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below. Has anyone come across this task before? interface Loopback0 ip address 1.1.1.1 255.255.255.255 interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets --Andrey
In this class you are matching: class-map match-any SSH match ip dscp cs2 Why not just match an ACL for SSH traffic from the local router back to your management range?
From: khomyakov.andrey@gmail.com Date: Mon, 29 Jul 2013 12:07:19 -0400 Subject: management traffic QoS on Tunnel interfaces To: nanog@nanog.org
Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local router The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router).
I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below.
Has anyone come across this task before?
interface Loopback0 ip address 1.1.1.1 255.255.255.255
interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets
--Andrey
Darren, My understanding that qos-preclassify will only copy ToS header from original packet to encrypted packet. Since service-policy is applied to the physical interface and is looking at already encrypted traffic, ACLs won't see the original source/destination Andrey --Andrey On Mon, Jul 29, 2013 at 12:31 PM, Darren O'Connor <darrenoc@outlook.com>wrote:
In this class you are matching:
class-map match-any SSH match ip dscp cs2
Why not just match an ACL for SSH traffic from the local router back to your management range?
From: khomyakov.andrey@gmail.com Date: Mon, 29 Jul 2013 12:07:19 -0400 Subject: management traffic QoS on Tunnel interfaces To: nanog@nanog.org
Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local
router
The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router).
I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below.
Has anyone come across this task before?
interface Loopback0 ip address 1.1.1.1 255.255.255.255
interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets
--Andrey
Newer IOS support setting precedence or DSCP for outbound SSH: ip ssh prec 2 Thanks, Chuck -----Original Message----- From: Andrey Khomyakov [mailto:khomyakov.andrey@gmail.com] Sent: Monday, July 29, 2013 12:07 PM To: Nanog Subject: management traffic QoS on Tunnel interfaces Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local router The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router). I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below. Has anyone come across this task before? interface Loopback0 ip address 1.1.1.1 255.255.255.255 interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets --Andrey
Looks like exactly what I'm looking for, but for some reason doesn't work. Below produces 0 packet match. ip ssh prec 2 class-map match-any SSH match ip dscp cs2 match ip precedence 2 As a test I also tried this: ip access-list extended Management_Access remark Play nice with router management traffic permit tcp any range 22 telnet any permit tcp any any range 22 telnet class-map match-any management match access-group name Management_Access policy-map Mark-Local-SSH class management set ip dscp cs2 ip local policy route-map Mark-Local-SSH --- Later on this matches 0 packets in both cases class-map match-any SSH match ip dscp cs2 match ip precedence 2 --Andrey On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch@gmail.com> wrote:
Newer IOS support setting precedence or DSCP for outbound SSH:
ip ssh prec 2
Thanks,
Chuck
-----Original Message----- From: Andrey Khomyakov [mailto:khomyakov.andrey@gmail.com] Sent: Monday, July 29, 2013 12:07 PM To: Nanog Subject: management traffic QoS on Tunnel interfaces
Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local router The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router).
I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below.
Has anyone come across this task before?
interface Loopback0 ip address 1.1.1.1 255.255.255.255
interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets
--Andrey
On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path. -Jon On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov <khomyakov.andrey@gmail.com> wrote:
Looks like exactly what I'm looking for, but for some reason doesn't work. Below produces 0 packet match.
ip ssh prec 2
class-map match-any SSH match ip dscp cs2 match ip precedence 2
As a test I also tried this:
ip access-list extended Management_Access remark Play nice with router management traffic permit tcp any range 22 telnet any permit tcp any any range 22 telnet
class-map match-any management match access-group name Management_Access
policy-map Mark-Local-SSH class management set ip dscp cs2
ip local policy route-map Mark-Local-SSH
--- Later on this matches 0 packets in both cases class-map match-any SSH match ip dscp cs2 match ip precedence 2
--Andrey
On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch@gmail.com> wrote:
Newer IOS support setting precedence or DSCP for outbound SSH:
ip ssh prec 2
Thanks,
Chuck
-----Original Message----- From: Andrey Khomyakov [mailto:khomyakov.andrey@gmail.com] Sent: Monday, July 29, 2013 12:07 PM To: Nanog Subject: management traffic QoS on Tunnel interfaces
Hi all, I have been trying to come up with a qos policy (or rather where to apply it) for reserving some bandwidth for management traffic to the local router The setup is that a remote route is a spoke to a DMVPN network, thus has a couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh). I have no issue working out service policy for transiting traffic, however, I can't wrap my head around how to reserve some bandwidth for the locally originated SSH traffic (managing the router).
I'd like to mark ssh response packets from the local router (1.1.1.1) with CS2,so i can match them in the tunnel policy shown below.
Has anyone come across this task before?
interface Loopback0 ip address 1.1.1.1 255.255.255.255
interface Tunnel0 ip address 2.2.2.2 255.255.255.0 qos pre-classify <snip> tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre shared ! interface FastEthernet0/0 desc DSL/Cable/FiOS ip address 3.3.3.3 255.255.255.0 bandwidth 768 bandwidth receive 1500 service-policy output SHAPE-OUT-768 ! class-map match-any SSH match ip dscp cs2 ! policy-map SHAPE-OUT-768 class class-default shape average 768000 service-policy SSH ! service-policy SSH class SSH bandwidth percent 5 class class-default fair-queue queue-limit 15 packets
--Andrey
participants (4)
-
Andrey Khomyakov
-
Chuck Church
-
Darren O'Connor
-
Jon Mitchell