Mark DSCP on traffic from the control plane

From Internetworkpro

This page or section provides device configuration instructions Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed. See more examples at Category:Configuration

This page contains unsupported information Please note that the information on this page is unsupported and we will not be responsible for any damages or failures to your equipment. Please follow with care.

Setup our normal QoS configs and don't worry about source IP address although you may or may not want to change the destination. (Note: For simplicity this configuration was created in a lab using NBAR (match protocol). NBAR increases the load on the router and may not be ideal for control-plane traffic)

ip access-list extended RADIUS
 permit udp any any eq 1812
 permit udp any any eq 1813
 permit udp any any eq 1645
 permit udp any any eq 1646
ip access-list extended TACACS
 permit tcp any any eq tacacs

class-map match-any LOCAL-OAM
 match protocol telnet
 match protocol ssh
 match protocol snmp
 match protocol syslog
 match protocol rcmd
 match access-group name TACACS
 match access-group name RADIUS
 match protocol ntp

policy-map MARK_LOCAL
 class LOCAL-OAM
  set ip dscp cs2

Create a policy to route all local traffic to the loopback first. (Please note: Before deploying this in your environment this could have effects on your control plane traffic. Always test your configs in a live lab first)

route-map LOCAL_POLICY permit 10
 set interface Loopback0

ip local policy route-map LOCAL_POLICY

Apply the policy map on the loopback in the in direction

interface Loopback0
 ip address 10.1.255.1 255.255.255.255
 service-policy input MARK_LOCAL