Hi Andrew,
Glad to hear you like it!
Per-tunnel QoS is a “hub to spoke” solution. It seems there is a spoke-to-spoke solution though, I just found this on the Cisco website:
Per-Tunnel QoS for Spoke to Spoke Connections
The QoS: Spoke to Spoke per tunnel QoS for DMVPN feature enables a DMVPN client to establish a direct crypto tunnel with another DMVPN client leveraging the per-tunnel QoS policy, using Next Hop Resolution Protocol (NHRP) to build spoke-to-spoke connections.
This feature enhances the Adaptive QoS over DMVPN feature, which ensures effective bandwidth management using dynamic shapers based on available bandwidth.
A spoke-to-spoke connection is established when a group identity information, configured on the spokes using the nhrp attribute group command, is exchanged between the spokes through the NHRP Vendor Private Extension (VPE). The NHRP Vendor Private Extensions, encapsulated in NHRP control packets—NHRP resolution request and reply packets.
Assume a network with two spokes—Spoke A and Spoke B, connected to hub. If Spoke A is configured with the nhrp attribute group command and traffic exists between the Spoke A and Spoke B, a resolution request from the Spoke A carries the group identity information as part of Vendor Private Extension (VPE). On receiving the resolution request, Spoke B extracts the VPE header and checks the extension types received as part of the resolution request packet. If the VPE extension has group type, the NHRP VPE parser extracts the group information and checka if a matching map is present. If a matching map is present, QoS applies the policy on the target interface.
Another option is FlexVPN, it does support spoke-to-spoke QoS. FlexVPN is (unofficially) often called DMVPN phase 4.
Rene