FlexVPN and QoS

peter.matuska1 · ‎03-20-2023

Hi,

lets say I have 1 hub router and 20 spokes. I am using IPSec with VTI - FlexVPN. The server behind hub router downloads some specific files (traffic can be determined by tcp port) from all spokes sites, besides other things. The question is whether it is possible to apply QOS on all VTI tunnels on the hub router in a way that downloading the mentioned files from the spoke site will work and wont be affected by any other traffic between hub and spoke.

thank you

Rob Ingram · ‎03-20-2023

@peter.matuska1 you can use authorisation to apply QoS policies to each virtual-access interface on the hub router. Authorisation can be external (RADIUS) or local. Local authorisation uses attribute list which references the interface command you'd normal define on the router.

Some examples of authorisation.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html

https://integratingit.wordpress.com/2019/03/20/flexvpn-local-authorization/

https://integratingit.wordpress.com/2018/03/31/configuring-flexvpn-external-aaa-with-radius/

peter.matuska1 · ‎03-21-2023

ok, but the question is how to apply QoS on all interfaces in a way that specific traffic through all VTI will be prioritise and no other traffic via e.g. Tunnel1 or any other Tunnel interface will block the prioritised traffic because physical interface which is mapped to these interfaces is only 25Mbps and there is like 15 VTIs. thank you