From: joshua atterbury (joshuaatterbury@gmail.com)
Date: Wed Jan 21 2009 - 21:23:20 ARST
Joe,
For the ssh component, Do you not have "match protocol ssh" as an option in
the class-map? I always thought that secure-telnet != ssh.
Josh.
On Thu, Jan 22, 2009 at 8:21 AM, Joe Astorino <joe_astorino@comcast.net>wrote:
> Hello guys,
>
> I am pretty new to QoS configurations, but am trying to prioritize some
> things in my home network. I am a bit confused, as when I had "match
> protocol secure-telnet" configured and was ssh'd into my router when
> shaping
> was active I was not seeing any counters increase. However, when I added a
> "match access-group ssh" into it which was just "permit tcp any any eq ssh"
> as well as "permit tcp any eq ssh any" those counters did increase. Is
> there any reason for this you guys can think of? Here is my configuration:
> Note I pay comcast for 8Mb/384kb service. Any input on if my QoS is
> actually correct would be appreciated as a side note :) I'll put some
> explanations of what I *think* is going on at this point below
>
> */ So here are my 2 interfaces, fa0/1 is my cable modem, fa0/0.1 is my
> inside LAN /*
>
> Bono(config-cmap)#do sh run int fa0/1 | i
> description|service-policy|bandwidth
> description WAN
> bandwidth 384
> max-reserved-bandwidth 100
> service-policy output parent
>
> Bono(config-subif)#do sh run int fa0/0.1 | i
> description|service-policy|bandwidth
> description LAN subinterface
> bandwidth 8000000
> service-policy output lan
>
>
> */ I shape the output of the WAN interface to 384k because that is what I
> pay for. I nest in the service-policy "priority-traffic" so that it does
> cbwfq /* Note, if I do "show queueing int fa0/1" it shows no queueing but
> if I do "show policy-map int fa0/1" it shows everything and counters
> increment as expected. Not sure if this is an effect of the nesting.
>
> Bono(config-subif)#do sh policy-map parent
> Policy Map parent
> Class class-default
> Traffic Shaping
> Average Rate Traffic Shaping
> CIR 384000 (bps) Max. Buffers Limit 1000 (Packets)
> service-policy priority-traffic
>
> */ If my uplink is congested I want to give 50% of my bandwidth (192k) to
> my
> "priority" traffic which includes www,https,telnet,ssh, email and some
> other
> stuff you see in the class-map. I also wish to give my vonage 128k
> bandwidth
> /*
>
> Policy Map priority-traffic
> Class priority-traffic
> Bandwidth 50 (%) Max Threshold 64 (packets)
> Class call-signalling
> Bandwidth 10 (%) Max Threshold 64 (packets)
> Class voice
> Strict Priority
> Bandwidth 128 (kbps) Burst 3200 (Bytes)
>
> Class Map match-any priority-traffic (id 4)
> Match protocol http
> Match protocol secure-http
> Match protocol telnet
> Match protocol secure-telnet
> Match protocol smtp
> Match protocol pop3
> Match protocol imap
> Match protocol secure-pop3
> Match protocol secure-imap
> Match protocol secure-ftp
> Match protocol ftp
> Match access-group name rdp
> Match access-group name ssh
>
> Class Map match-any call-signalling (id 1)
> Match access-group name sip
>
> Bono(config-subif)#do sh class-map voice
> Class Map match-any voice (id 2)
> Match protocol rtp audio
>
>
> */ Here is where I am not quite sure on some things. The idea here is that
> I want to shape traffic coming from the internet to 8Mb but not my internal
> network stuff because it is a fastethernet interface. So by nesting
> service-policy priority-lan inside of the lan policy-map that has shaping
> on
> it, I am hoping to only shape/queue non 10.0.0.0/8 traffic. /*
>
> Policy Map lan
> Class outside
> Traffic Shaping
> Average Rate Traffic Shaping
> CIR 8000000 (bps) Max. Buffers Limit 1000 (Packets)
> service-policy priority-lan
> Class class-default
>
> Bono(config-subif)#do sh class outside
> Class Map match-all outside (id 5)
> Match access-group 55
>
> Bono(config-subif)#do sh access-list 55
> Standard IP access list 55
> 10 deny 10.0.0.0, wildcard bits 0.255.255.255 (3039 matches)
> 20 permit any (1922730 matches)
>
> Policy Map priority-lan
> Class priority-traffic
> Strict Priority
> Bandwidth 50 (%)
>
>
> So I guess that is it. I am wondering if this is doing what I have
> explained, and also about that secure shell thing and show queueing thing.
> Any help much appreciated guys!
>
> - Joe A
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>
> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
> 74k/eLaYWYqu7YI=
> =8HMA
> -----END PGP PUBLIC KEY BLOCK-----
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST