In this class you are matching:
class-map match-any SSH
match ip dscp cs2
Why not just match an ACL for SSH traffic from the local router back to your
management range?
From: khomyakov.and...@gmail.com
Date: Mon, 29 Jul 2013 12:07:19 -0400
Subject: management traffic QoS on Tunnel
Newer IOS support setting precedence or DSCP for outbound SSH:
ip ssh prec 2
Thanks,
Chuck
-Original Message-
From: Andrey Khomyakov [mailto:khomyakov.and...@gmail.com]
Sent: Monday, July 29, 2013 12:07 PM
To: Nanog
Subject: management traffic QoS on Tunnel interfaces
Hi all,
I have
Darren,
My understanding that qos-preclassify will only copy ToS header from
original packet to encrypted packet. Since service-policy is applied to the
physical interface and is looking at already encrypted traffic, ACLs won't
see the original source/destination
Andrey
--Andrey
On Mon, Jul
Looks like exactly what I'm looking for, but for some reason doesn't work.
Below produces 0 packet match.
ip ssh prec 2
class-map match-any SSH
match ip dscp cs2
match ip precedence 2
As a test I also tried this:
ip access-list extended Management_Access
remark Play nice with router
On some platforms locally generated traffic bypasses egress intf ACL/QoS, try
your test with an ACL on ingress on a diff router in the path.
-Jon
On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov khomyakov.and...@gmail.com
wrote:
Looks like exactly what I'm looking for, but for some reason
5 matches
Mail list logo