RE: management traffic QoS on Tunnel interfaces

In this class you are matching: class-map match-any SSH match ip dscp cs2 Why not just match an ACL for SSH traffic from the local router back to your management range? From: khomyakov.and...@gmail.com Date: Mon, 29 Jul 2013 12:07:19 -0400 Subject: management traffic QoS on Tunnel

RE: management traffic QoS on Tunnel interfaces

Newer IOS support setting precedence or DSCP for outbound SSH: ip ssh prec 2 Thanks, Chuck -Original Message- From: Andrey Khomyakov [mailto:khomyakov.and...@gmail.com] Sent: Monday, July 29, 2013 12:07 PM To: Nanog Subject: management traffic QoS on Tunnel interfaces Hi all, I have

Re: management traffic QoS on Tunnel interfaces

Darren, My understanding that qos-preclassify will only copy ToS header from original packet to encrypted packet. Since service-policy is applied to the physical interface and is looking at already encrypted traffic, ACLs won't see the original source/destination Andrey --Andrey On Mon, Jul

Re: management traffic QoS on Tunnel interfaces

Looks like exactly what I'm looking for, but for some reason doesn't work. Below produces 0 packet match. ip ssh prec 2 class-map match-any SSH match ip dscp cs2 match ip precedence 2 As a test I also tried this: ip access-list extended Management_Access remark Play nice with router

Re: management traffic QoS on Tunnel interfaces

On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path. -Jon On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov khomyakov.and...@gmail.com wrote: Looks like exactly what I'm looking for, but for some reason