11-27-2014 12:24 AM - edited 02-21-2020 07:57 PM
Hi,
Is it possible to apply QoS on Cisco routers to provide certain types of traffic priority within an Anyconnect SSL VPN connection ?
The VPN will be established from users using mobile devices such as iPhones
Thanks
11-27-2014 05:27 AM
Do you want to apply QoS to the encrypted streams to/from the remote users? If so, you can use an access-list to identify the traffic (i.e. tcp/443 to/from your VPN headend) and use that in a class-map that's referenced by the policy-map and then applied to the appropriate router interface. It may be a bit imprecise since there may be multiple connection profiles on the headend and this would catch them all. You will be limited to sorintg out VPN / non-VPN traffic into classes. Since the streams are encrypted you can't do anything to their internal contents.
If you want to apply QoS on the traffic within the VPN then you would be limited to whatever is going in at the headend from the private network. You have to have a point where you see all the unencrypted traffic and can match on its characteristics (DSCP, source IP, port number etc.).
Coming from the user ends you wouldn't have any means of prioritizing, shaping or policiing the traffic until it drops out unencrypted at your end.
11-27-2014 06:04 AM
Hi and thanks for your response.
My scenario is this.
Mobile users (iPhone/Android) are connected to the corporate network and use Cisco Anyconnect to access internal mobile apps.
Some mobile apps (such as voice/video) might require different packet markings than others, so that they are treated correctly on the WAN routers.
What I'm trying to understand is whether the DSCP markings can be placed on the outside of the Anyconnect VPN tunnel so that our WAN routers can see them.
I realise I could prioritize all Anyconnect traffic on our routers, but I'd like to understand whether I can prioritize the traffic types within the VPN tunnel.
Thanks
11-27-2014 09:46 AM
No - once they're wrapped in the SSL VPN the individual streams cannot be differentiated. All an intermediate router (or other QoS control point) will see is a monolithic tcp/443 (SSL) stream of data.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide