Cisco IOS Management Plane Default QoS

Just an observation.

Cisco IOS routers and switches mark locally originated SSH and Telnet traffic with 802.1p = 6, DSCP = CS6 (48). That is, if you initiate an SSH session to the router, the returning traffic will have DSCP set to CS6. It’s a bit weird because Cisco IOS CLI states that default DSCP value for locally originated SSH packets is 0.

C3750(config)#ip ssh dscp ?
  <0-63>  ip dscp value (default value 0 )

I have explicitly set SSH’s DSCP to 0 and confirmed the switch stared to use DSCP Default 0 for all new connections. There’s a similar command for telnet:

C3750(config)#ip telnet tos ?
  <0-FF>  TOS value

So, keep this in mind if you design End-to-End QoS model.

P.S. Cisco WLC does not treat SSH traffic in a special way by default – tested!



  1. ibarrere says:

    Some IOS services don’t allow you to set the DSCP value with a command so I typically use the command “ip local policy” referencing a route-map to mark device-originated traffic with specific DSCP values. The route-maps can typically only set precedence bits, so you’re limited to the CS classes. Something like this to set SSH and syslog to CS2:

    ip access-list extended LOCAL_DCSP
    permit tcp any eq 22 any
    permit udp any eq 514 any
    permit udp any any eq 514

    route-map LOCAL_DSCP permit 10
    match ip address LOCAL_DSCP
    set ip precedence immediate
    ip local policy route-map LOCAL_DSCP

    • Yes, I agree. It is better way to do that (gives you more control). I would do it same way.
      My post above is only to make people aware about default IOS behavior. Anyway, thanks for the feedback.

  2. Krish says:

    How can we check which DSCP value the router uses for the SSH connections originating from the router itself?

  3. I have noticed that local policy and interface’s assigned service policy DO NOT classify locally originated NetFlow traffic (even though there’s an appropriate ACE). I am trying to understand the way to do that at the moment and a separate post will follow (assuming I found the way!)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: