kevinhsieh
asked on
Adding QoS kills ssh access to Cisco interface
Hello Experts! I am having an interesting time with QoS on my Cisco routers. My primary goal is to DSCP mark packets as they leave my network so that they can be appropriately handled by my service provider in route to my other offices. I am using IPSec tunnels and I have an Ethernet handoff. A secondary goal is to use CBWFQ to proactively drop packets and LLQ to keep VoIP running smoothly. In all likelihood, queues will get congested on the provider equipment, not my own. This is why its so important for me to be able to apply DSCP markings.
When I apply the service-policy to my WAN interface I see that packets are getting marked. The problem is that I lose the ability to SSH to the WAN interface of my router. I am still able to SSH to the LAN interface through the IPSec tunnel. This is happening on all 3 routers that I have tried. I am running 12.4(19) on 3640 routers. The problem goes away as soon as I remove the service-policy from the WAN interface.
Thanks for your help!
When I apply the service-policy to my WAN interface I see that packets are getting marked. The problem is that I lose the ability to SSH to the WAN interface of my router. I am still able to SSH to the LAN interface through the IPSec tunnel. This is happening on all 3 routers that I have tried. I am running 12.4(19) on 3640 routers. The problem goes away as soon as I remove the service-policy from the WAN interface.
Thanks for your help!
version 12.4
!
class-map match-any NETWORKCONTROL-CS7
description Traffic to be tagged CS7
match access-group name ROUTING-ACL
match dscp cs7
match precedence 7
class-map match-any CRITICAL-EF
description Traffic to be tagged EF
match dscp ef
match dscp cs5
match precedence 5
class-map match-any PRIORITY-AF11
description Traffic to be tagged AF11
match access-group name corpMAPI-ACL
match access-group name internetHTTP-ACL
match dscp af11
match dscp cs1
match precedence 1
class-map match-any PRIORITY-AF13
description Traffic to be tagged AF13
match access-group name corpISCSI-ACL
match dscp af13
class-map match-any PRIORITY-AF12
description Traffic to be tagged AF12
match access-group name corpDOUBLETAKE-ACL
match access-group name corpSERVER-RPC-ACL
match access-group name internetOTHER-ACL
match access-group name SMTP-ACL
match dscp af12
class-map match-any INTERNETWORKCONTROL-CS6
description Traffic to be tagged CS6
match access-group name ICMP-ACL
match dscp cs6
match precedence 6
class-map match-any FLASHOVERRIDE-AF42
description Traffic to be tagged AF42
match access-group name corpSHELL-ACL
match dscp af42
class-map match-any FLASHOVERRIDE-AF43
description Traffic to be tagged AF43
match dscp af43
class-map match-any FLASHOVERRIDE-AF41
description Traffic to be tagged AF41
match dscp af41
match dscp cs4
match precedence 4
class-map match-any IMMEDIATE-AF21
description Traffic to be tagged AF21
match access-group name corpCIFS-ACL
match access-group name corpHTTP-ACL
match dscp af21
match dscp cs2
match precedence 2
class-map match-any FLASH-AF31
description Traffic to be tagged AF31
match access-group name corpBAY1-ACL
match dscp af31
match dscp cs3
match precedence 3
class-map match-any FLASH-AF33
description Traffic to be tagged AF33
match access-group name RDP-ACL
match dscp af33
!
!
policy-map OUT-POLICY-TEST
description Here we tag the traffic with DSCP markings
class PRIORITY-AF11
set dscp af11
bandwidth remaining percent 10
random-detect dscp-based
class PRIORITY-AF12
set dscp af12
bandwidth remaining percent 5
random-detect dscp-based
class PRIORITY-AF13
set dscp af13
bandwidth remaining percent 10
random-detect dscp-based
class IMMEDIATE-AF21
set dscp af21
bandwidth remaining percent 25
random-detect dscp-based
class FLASH-AF31
set dscp af31
bandwidth remaining percent 10
random-detect dscp-based
class FLASH-AF33
set dscp af33
bandwidth remaining percent 10
random-detect dscp-based
class FLASHOVERRIDE-AF41
set dscp af41
bandwidth remaining percent 25
random-detect dscp-based
class FLASHOVERRIDE-AF42
set dscp af42
bandwidth remaining percent 2
random-detect dscp-based
class FLASHOVERRIDE-AF43
set dscp af43
bandwidth remaining percent 2
random-detect dscp-based
class INTERNETWORKCONTROL-CS6
set dscp cs6
priority percent 1
class NETWORKCONTROL-CS7
set dscp cs7
priority percent 1
class CRITICAL-EF
set dscp ef
priority percent 20
class class-default
fair-queue
!
!
!
!
crypto map MYMAP 10 ipsec-isakmp
set peer x.x.x.x
set transform-set MEDIUM
match address CRYPTOMAP
qos pre-classify
!
!
!
!
interface FastEthernet1/0
description LAN
ip address 10.100.152.1 255.255.254.0
duplex auto
speed auto
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.100.152.1
!
interface Ethernet3/0
description WAN
bandwidth 1544
ip address x.x.x.x 255.255.255.252
ip access-group INBOUND in
full-duplex
crypto map MYMAP
service-policy output OUT-POLICY-TEST
!
ip access-list extended CRYPTOMAP
permit ip 10.100.152.0 0.0.1.255 any
ip access-list extended ICMP-ACL
remark match corporate and Internet ICMP INTERNETWORKCONTROL CS6
permit icmp any any
ip access-list extended INBOUND
permit tcp any any established
permit esp X.X.X.X 0.0.0.1 any
permit udp X.X.X.X 0.0.0.1 any eq isakmp
permit icmp any any ttl-exceeded
permit icmp X.X.X.X 0.0.0.255 any echo
permit tcp X.X.X.X 0.0.0.1 any eq 22
permit icmp any any echo-reply
ip access-list extended RDP-ACL
remark Match Remote Desktop Protocol FLASH AF33
permit tcp any any eq 3389
permit tcp any eq 3389 any
ip access-list extended ROUTING-ACL
remark match Routing Protocols NETWORKCONTROL CS7
permit eigrp any any
ip access-list extended SMTP-ACL
remark match SMTP traffic PRIORITY AF12
permit tcp any any eq smtp
permit tcp any eq smtp any
ip access-list extended corpBAY1-ACL
remark match corporate SBN Bay1 traffic FLASH AF31
permit tcp 10.0.0.0 0.255.255.255 host 10.100.6.107 eq 4100
permit tcp host 10.100.6.107 eq 4100 10.0.0.0 0.255.255.255
ip access-list extended corpCIFS-ACL
remark match corporate CIFS traffic IMMEDIATE AF21
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 445
permit tcp 10.0.0.0 0.255.255.255 eq 445 10.0.0.0 0.255.255.255
ip access-list extended corpDOUBLETAKE-ACL
remark match corporate Double-Take traffic PRIORITY AF12
permit tcp 10.101.22.0 0.0.1.255 10.100.22.0 0.0.1.255 eq 1100
permit tcp 10.100.22.0 0.0.1.255 10.101.22.0 0.0.1.255 eq 1100
permit tcp 10.101.22.0 0.0.1.255 eq 1100 10.100.22.0 0.0.1.255
permit tcp 10.100.22.0 0.0.1.255 eq 1100 10.101.22.0 0.0.1.255
ip access-list extended corpHTTP-ACL
remark match corporate HTTP/HTTPS traffic IMMEDIATE AF21
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq www
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 443
permit tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 eq www
permit tcp 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 eq 443
permit tcp 10.0.0.0 0.255.255.255 eq www any
permit tcp 10.0.0.0 0.255.255.255 eq 443 any
permit tcp 192.168.0.0 0.0.255.255 eq www any
permit tcp 192.168.0.0 0.0.255.255 eq 443 any
ip access-list extended corpISCSI-ACL
remark match corporate iSCSI traffic PRIORITY AF13
permit tcp 10.101.24.0 0.0.1.255 10.100.24.0 0.0.1.255 eq 3260
permit tcp 10.100.24.0 0.0.1.255 10.101.24.0 0.0.1.255 eq 3260
permit tcp 10.101.24.0 0.0.1.255 eq 3260 10.100.24.0 0.0.1.255
permit tcp 10.100.24.0 0.0.1.255 eq 3260 10.101.24.0 0.0.1.255
ip access-list extended corpMAPI-ACL
remark match corporate Exchange MAPI traffic PRIORITY AF11
permit tcp 10.0.0.0 0.255.255.255 10.0.22.0 0.255.0.255 eq 7830
permit tcp 10.0.22.0 0.255.0.255 eq 7830 10.0.0.0 0.255.255.255
ip access-list extended corpSERVER-RPC-ACL
remark match server to server RPC traffic PRIORITY AF12
permit tcp 10.100.0.10 0.0.255.0 gt 1024 10.100.0.10 0.0.255.0 gt 1024
permit tcp 10.0.22.0 0.255.0.255 gt 1024 10.100.0.10 0.0.255.0 gt 1024
permit tcp 10.100.0.10 0.0.255.0 gt 1024 10.0.22.0 0.255.0.255 gt 1024
ip access-list extended corpSHELL-ACL
remark Match Corporate SSH and Telnet traffic FLASHOVERRIDE AF42
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22
permit tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq telnet
permit tcp 10.0.0.0 0.255.255.255 eq telnet 10.0.0.0 0.255.255.255
ip access-list extended internetHTTP-ACL
remark Match Internet HTTP/HTTPS traffic PRIORITY AF11
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit tcp 10.0.0.0 0.255.255.255 any eq www
permit tcp 10.0.0.0 0.255.255.255 any eq 443
ip access-list extended internetOTHER-ACL
remark match Internet traffic NOT HTTP(s) PRIORITY AF12
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit tcp 10.0.0.0 0.255.255.255 any
line vty 0 4
access-class 65 in
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXX
transport input ssh
ASKER
That didn't do anything. However, adding the following line to my corpSHELL-ACL access-list fixed the issue.
permit tcp any eq 22 any
Points if you can tell me why that makes a difference. I would think that the return traffic would have fallen under the default class.
permit tcp any eq 22 any
Points if you can tell me why that makes a difference. I would think that the return traffic would have fallen under the default class.
ip access-list extended corpSHELL-ACL
remark Match Corporate SSH and Telnet traffic FLASHOVERRIDE AF42
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22
permit tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255
permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq telnet
permit tcp 10.0.0.0 0.255.255.255 eq telnet 10.0.0.0 0.255.255.255
permit tcp any any eq 22
permit tcp any eq 22 any
ASKER
Additionally my IPSec tunnel dies after a period of time. Something else is going on here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I advise you to make priority 64Kbps to SSH