cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1756
Views
0
Helpful
1
Replies

cisco qos: match protocol ssh does not work - neither with acl

Luca Pecchiari
Level 1
Level 1

Hello i try to apply this map, it works but i have an issue with ssh traffic that start from the pc inside and goes outside. (Cisco 887VA)

SSH It is not recognized neither by match protocol ssh and neither by the acl match access-group 114

Guys, please what i am doing wrong?

the service policy is setted on atm interface

 

service-policy out QoS-Out-parent-test

----------------------------

class-map match-any ssh-interactive
match access-group 114
class-map match-any Management-1
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map match-any Signaling-1
match protocol h323
match protocol rtcp
match protocol sip
class-map match-any Voice-1
match protocol rtp audio
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
class-map match-any Transactional-1
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
match class-map ssh-interactive
!

policy-map QoS-Out-child-test
class Voice-1
priority percent 30
class Signaling-1
bandwidth percent 10
class Transactional-1
bandwidth percent 10
class Management-1
bandwidth percent 10
class class-default
fair-queue
random-detect
bandwidth percent 30
policy-map QoS-Out-parent-test
class class-default
shape average 935000
service-policy QoS-Out-child-test

 

access-list 114 remark *************************************
access-list 114 remark # SSH QOS
access-list 114 permit tcp any any eq 22
access-list 114 permit tcp any eq 22 any
access-list 114 permit udp any any eq 22
access-list 114 permit udp any eq 22 any
access-list 114 remark *************************************

 

Thak you for your help

1 Accepted Solution

Accepted Solutions

Luca Pecchiari
Level 1
Level 1

Morning bringed me the light.

I totally forget that i was trying to make qos for an encyted VPN traffic.

Basically i have an internal pc that open a PPTP connection that pass trough the router to reach the server on internet. (tunnel is not made by the router)

Match of course will not work in this case, since NBAR cannot work on this. Using pre classify cannot work since data comes to the router alredy encrypted.

To QOS the vpn traffic i used an acl pointing the VPN server and now it work fine. All that traffic fit the acl and it is fine.

View solution in original post

1 Reply 1

Luca Pecchiari
Level 1
Level 1

Morning bringed me the light.

I totally forget that i was trying to make qos for an encyted VPN traffic.

Basically i have an internal pc that open a PPTP connection that pass trough the router to reach the server on internet. (tunnel is not made by the router)

Match of course will not work in this case, since NBAR cannot work on this. Using pre classify cannot work since data comes to the router alredy encrypted.

To QOS the vpn traffic i used an acl pointing the VPN server and now it work fine. All that traffic fit the acl and it is fine.