Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4236
Views
0
Helpful
3
Replies

Anyconnect VPN and QoS

lee.messenger
Level 1
Level 1

‎11-27-2014 12:24 AM - edited ‎02-21-2020 07:57 PM

Hi,

 

Is it possible to apply QoS on Cisco routers to provide certain types of traffic priority within an Anyconnect SSL VPN connection ?

The VPN will be established from users using mobile devices such as iPhones

 

Thanks

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-27-2014 05:27 AM

Do you want to apply QoS to the encrypted streams to/from the remote users? If so, you can use an access-list to identify the traffic (i.e. tcp/443 to/from your VPN headend) and use that in a class-map that's referenced by the policy-map and then applied to the appropriate router interface. It may be a bit imprecise since there may be multiple connection profiles on the headend and this would catch them all. You will be limited to sorintg out VPN / non-VPN traffic into classes. Since the streams are encrypted you can't do anything to their internal contents.

If you want to apply QoS on the traffic within the VPN then you would be limited to whatever is going in at the headend from the private network. You have to have a point where you see all the unencrypted traffic and can match on its characteristics (DSCP, source IP, port number etc.).

Coming from the user ends you wouldn't have any means of prioritizing, shaping or policiing the traffic until it drops out unencrypted at your end.

0 Helpful

lee.messenger
Level 1
Level 1
In response to Marvin Rhoads

‎11-27-2014 06:04 AM

Hi and thanks for your response.

My scenario is this.

Mobile users (iPhone/Android) are connected to the corporate network and use Cisco Anyconnect to access internal mobile apps.

Some mobile apps (such as voice/video) might require different packet markings than others, so that they are treated correctly on the WAN routers.

What I'm trying to understand is whether the DSCP markings can be placed on the outside of the Anyconnect VPN tunnel so that our WAN routers can see them.

I realise I could prioritize all Anyconnect traffic on our routers, but I'd like to understand whether I can prioritize the traffic types within the VPN tunnel.

Thanks

 

 

 

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to lee.messenger

‎11-27-2014 09:46 AM

No - once they're wrapped in the SSL VPN the individual streams cannot be differentiated. All an intermediate router (or other QoS control point) will see is a monolithic tcp/443 (SSL) stream of data.

0 Helpful
Customers Also Viewed These Support Documents