Hi Phil,

larger share of the bandwidth

We will need to create a hierarchical policy.  How much bandwidth is there on the circuit?

Not sure how much bandwidth yet, can you give an example on how the configuration would look like

Is GigabitEthernet0/0/1 dedicated to DMVPN, or is it shared for other purposes as well (aka normal Internet traffic goes through it as well)?

It is for DMVPN and internet as well

What about using Policy Based Routing with Route-Maps?

Any suggestions to make it work are welcome

That changes where the traffic will go, but not the "priority" of the traffic.

OK.  I guess I'm not sure of the objective.

I was thinking we just want to prioritize that traffic to go over the DMVPN connection, but use a different route if the DMVPV connection isn't available.

So you would do two standard access lists with permit statements for

10.255.0.0/24 - any
10.255.4.0/24 - any

Then an extended access list :

ip access-list extended HTTP-TRAFFIC permit ip 174.128.1.0 0.0.0.255 any eq 80 443

Then

route-map [NAME] permit 10

match ip address [ACL 1]

set ip next-hop [I think you would use the local ip from the nhrp map, but I'm not sure]

Then repeat that for each of the other two ACLs, e.g "route-map [NAME] permit 20"

In that case, I recommend using DSCP markings.

First create a top level policy limiting the bandwidth to the actual circuit capacity.  This example is for a 50Mb/s circuit.  This goes on Gig0/0/1.

policy-map pm-Gi001
  class class-default
    shape average 50000000
    service-policy pm-QoS

Then a sub-policy.  This is a generic QoS policy I use.

policy-map pm-QoS
  class cm-qos-voice
    priority percent 33
  class cm-qos-call-signalling
    bandwidth percent 5 
  class cm-qos-critical-data
    bandwidth percent 36 
  class cm-qos-scavenger
    bandwidth percent 1
  class class-default
    bandwidth percent 25
    fair-queue 512
    queue-limit 1024 packets

Now the class definitions for our network wide QoS policy.

class-map match-any cm-qos-voice
  match ip dscp ef 
class-map match-any cm-qos-scavenger
  match ip dscp cs1 
class-map match-any cm-qos-critical-data
  match ip dscp cs6
  match ip dscp af21 af22
  match ip dscp cs2
class-map match-any cm-qos-call-signalling
  match ip dscp cs3
  match ip dscp af31

Now on your DMVPN tunnel tell it preserve/copy the QoS marking so we can process it after encapsulation.

interface Tunnel 0
 qos pre-classify

Now we can QoS process traffic weather it is Internet traffic, DMVPN traffic, or anything else that flows through this interface.

Anything that you put into cm-qos-scavenger can use all free bandwidth, but is the first to get discarded.  So great for large file transfers, replication, etc.

Business critical traffic, aka your traffic, should go into cm-qos-critical-data.  You can mark this on the switch interfaces that kit is plugged into, or mark it as it enters the lan side interface on the router.  For example, for vlan1:

access-list 101 permit ip any 10.255.0.0 0.255.255.255
access-list 101 permit ip any 10.255.4.0 0.255.255.255
access-list 101 permit tcp any 174.128.1.0 0.255.255.255 eq 80
access-list 101 permit tcp any 174.128.1.0 0.255.255.255 eq 443

class-map match-all cm-mark-vlan1
  match access-group 101

policy-map pm-mark-vlan1
  class cm-mark-vlan1
    set ip dscp af21