Cisco IOS Management Plane Default QoS

Just an observation.

Cisco IOS routers and switches mark locally originated SSH and Telnet traffic with 802.1p = 6, DSCP = CS6 (48). That is, if you initiate an SSH session to the router, the returning traffic will have DSCP set to CS6. It’s a bit weird because Cisco IOS CLI states that default DSCP value for locally originated SSH packets is 0.

C3750(config)#ip ssh dscp ?
  <0-63>  ip dscp value (default value 0 )

I have explicitly set SSH’s DSCP to 0 and confirmed the switch stared to use DSCP Default 0 for all new connections. There’s a similar command for telnet:

C3750(config)#ip telnet tos ?
  <0-FF>  TOS value

So, keep this in mind if you design End-to-End QoS model.

P.S. Cisco WLC does not treat SSH traffic in a special way by default – tested!

 

5 thoughts on “Cisco IOS Management Plane Default QoS

  1. ibarrere

    Some IOS services don’t allow you to set the DSCP value with a command so I typically use the command “ip local policy” referencing a route-map to mark device-originated traffic with specific DSCP values. The route-maps can typically only set precedence bits, so you’re limited to the CS classes. Something like this to set SSH and syslog to CS2:

    ip access-list extended LOCAL_DCSP
    permit tcp any eq 22 any
    permit udp any eq 514 any
    permit udp any any eq 514

    !
    route-map LOCAL_DSCP permit 10
    match ip address LOCAL_DSCP
    set ip precedence immediate
    !
    ip local policy route-map LOCAL_DSCP

    Reply
    1. Tim Dmitrenko Post author

      Yes, I agree. It is better way to do that (gives you more control). I would do it same way.
      My post above is only to make people aware about default IOS behavior. Anyway, thanks for the feedback.

      Reply
  2. Krish

    How can we check which DSCP value the router uses for the SSH connections originating from the router itself?

    Reply
  3. Tim Dmitrenko Post author

    I have noticed that local policy and interface’s assigned service policy DO NOT classify locally originated NetFlow traffic (even though there’s an appropriate ACE). I am trying to understand the way to do that at the moment and a separate post will follow (assuming I found the way!)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.