Solved: FlexVPN and QoS on tunnels

panfyoric40 · ‎03-27-2014

There is a simple topology: a hub and some spokes. FlexVPN is woking between them with psk, BGP and no radius.

Now I want QoS on the hub and spokes. The hub has an ISP connection with, let's say 100Mb and some spokes have 10Mb, some have 5Mb and so on.

Each spoke has a tunnel interface and a Virtual-Template interface. I can apply "service-policy output" on these interfaces, no problem.(Should I apply "service-policy output" on the tunnel interface or on the Virtual-Template interface or on both of them, I am still not sure, but it is not a big problem)

What should I do with the hub which has only one tunnel interface and one Virtual-Template interface for all the spokes?

If I had 100 spokes the hub would still have only one tunnel interface and one Virtual-Template interface for all the spokes. The hub also has Virtual-Access interfaces for each spoke, they sort of dynamic, i do not create them, they appear by themselves and I am no able to configure them. when I try to configure them the Cisco says : % Please use virtual template to configure your virtual access.

How and where I can apply "service-policy output" on the hub if I want unique QoS for each spoke?

Marcin Latosiewicz · ‎03-28-2014

Since you're not using RADIUS you can apply config dynamically with AAA attribute lists.

I described similar config (including a very basic policy) in this document http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html

To answer your questions, you always apply config to VAs via the template.

(In this case) Attibutes are added to VAs not to VTs, you use VT as base of what you need, followed by additional dynamic attributes for VAs.

For tunnel interfaces (on spokes) it's pretty easy to enable QoS, but what you might look into is applying policy on physical interface and not tunnel interface (remember that DSCP values are copied over to external header). After all you want to manage the bandwidth towards ISP not towards the VPN cloud, most of the time.

View solution in original post

Marcin Latosiewicz · ‎03-28-2014

Since you're not using RADIUS you can apply config dynamically with AAA attribute lists.

I described similar config (including a very basic policy) in this document http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html

To answer your questions, you always apply config to VAs via the template.

(In this case) Attibutes are added to VAs not to VTs, you use VT as base of what you need, followed by additional dynamic attributes for VAs.

For tunnel interfaces (on spokes) it's pretty easy to enable QoS, but what you might look into is applying policy on physical interface and not tunnel interface (remember that DSCP values are copied over to external header). After all you want to manage the bandwidth towards ISP not towards the VPN cloud, most of the time.

panfyoric40 · ‎03-28-2014

Thank you very much. I am reading the document and it is what I was looking for.

Another question: I want the tunnel IP address on the spokes to be always the same. Can I configure static IP on the spoke's tunnel interface or should it be pushed down from the hub to the spoke?