-
Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.2SR
-
Quality of Service Overview
- Part 1: Classification
- Part 2: Congestion Management
- Part 3: Congestion Avoidance
- Part 4: Policing and Shaping
-
Part 5: Signalling
-
Signalling Overview
-
RSVP
-
Configuring RSVP
-
Control Plane DSCP Support for RSVP
-
Configuring RSVP Support for Frame Relay
-
RSVP Scalability Enhancements
-
RSVP Refresh Reduction and Reliable Messaging
-
RSVP Message Authentication
-
RSVP Application ID Support
-
RSVP Fast Local Repair
-
RSVP Interface-Based Receiver Proxy
-
RSVP Aggregation
-
MPLS TE---Tunnel-Based Admission Control (TBAC)
-
Configuring Subnetwork Bandwidth Manager
-
-
- Part 6: Link Efficiency Mechanisms
- Part 7: Quality of Service Solutions
- Part 8: Modular Quality of Service Command-Line Interface
- Part 9: Security Device Manager
-
Table Of Contents
Low Latency Queueing (LLQ) for IPSec Encryption Engines
Related Features and Technologies
Determining Platform Support Through Cisco Feature Navigator
Availability of Cisco IOS Software Images
Supported Standards, MIBs, and RFCs
Configuring Class Policy in the Policy Map
Configuring Class Policy for a Priority Queue
Configuring Class Policy Using a Specified Bandwidth
Configuring the Class-Default Class Policy
Verifying Configuration of Policy Maps and Their Classes
Monitoring and Maintaining LLQ for IPSec Encryption Engines
LLQ for IPSec Encryption Engines Example
Low Latency Queueing (LLQ) for IPSec Encryption Engines
Feature History
12.2(13)T
This feature was introduced.
12.2(14)S
This feature was integrated into Cisco IOS Release 12.2(14)S.
This feature module describes the Low Latency Queueing (LLQ) for IPSec encryption engines feature in Cisco IOS Release 12.2(13)T and 12.2(14)S. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
Low Latency Queueing (LLQ) for IPSec encryption engines helps reduce packet latency by introducing the concept of queueing before crypto engines. Prior to this, the crypto processing engine gave data traffic and voice traffic equal status. Administrators now designate voice traffic as priority. Data packets arriving at a router interface are directed into a data packet inbound queue for crypto engine processing. This queue is called the best effort queue. Voice packets arriving on a router interface are directed into a priority packet inbound queue for crypto engine processing. This queue is called the priority queue. The crypto engine undertakes packet processing in a favorable ratio for voice packets. Voice packets are guaranteed a minimum processing bandwidth on the crypto engine.
Benefits
The Low Latency Queueing (LLQ) for IPSec encryption engines feature guarantees a certain level of crypto engine processing time for priority designated traffic.
Note
Better Voice Performance
Voice packets can be identified as priority, allowing the crypto engine to guarantee a certain percentage of processing bandwidth. This feature impacts the end user experience by assuring voice quality if voice traffic is directed onto a congested network.
Improved Latency and Jitters
Predictability is a critical component of network performance. The Low Latency Queueing (LLQ) for IPSec encryption engines feature delivers network traffic predictability relating to VPN. With this feature disabled, an end user employing an IP phone over VPN might experience jitter or latency, both symptoms of overall network latency and congestion. With this feature enabled, these undesirable characteristics are dissipated.
Restrictions
•
•
•
•
•
•
•
Related Features and Technologies
•
•
•
Related Documents
•
•
Supported Platforms
12.2(14)S and higher
The LLQ for IPSec encryption engines feature is supported on the following platform:
•
12.2(13)T
The LLQ for IPSec encryption engines feature is supported on all platforms using Cisco IOS Release 12.2(13)T or later, including:
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side-by-side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, see the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
•
MIBs
•
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
•
Prerequisites
To use this feature, you should be familiar with the following:
•
•
•
Configuration Tasks
To configure LLQ for IPSec encryption engines, perform the tasks described in the following section.
Note
•
•
•
•
•
•
•
Defining Class Maps
To create a class map containing match criteria against which a packet is checked to determine if it belongs to a class, use the following commands beginning in global configuration mode:
Configuring Class Policy in the Policy Map
To configure a policy map and create class policies that make up the service policy, begin with the policy-map command to specify the policy map name. Then use one or more of the following commands to configure the policy for a standard class or the default class:
•
•
•
•
For each class that you define, you can use one or more of the commands listed to configure the class policy. For example, you might specify bandwidth for one class and both bandwidth and queue limit for another class.
The default class of the policy map (commonly known as the class-default class) is the class to which traffic is directed if that traffic does not satisfy the match criteria of the other classes defined in the policy map.
You can configure class policies for as many classes as are defined on the router, up to the maximum of 64. However, the total amount of bandwidth allocated for all classes in a policy map must not exceed the minimum committed information rate (CIR) configured for the virtual circuit (VC) minus any bandwidth reserved by the frame-relay voice bandwidth and frame-relay ip rtp priority commands. If the minimum CIR is not configured, the bandwidth defaults to one half of the CIR. If all of the bandwidth is not allocated, the remaining bandwidth is allocated proportionally among the classes on the basis of their configured bandwidth.
To configure class policies in a policy map, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional.
Configuring Class Policy for a Priority Queue
To configure a policy map and give priority to a class within the policy map, use the following commands beginning in global configuration mode:
Configuring Class Policy Using a Specified Bandwidth
To configure a policy map and create class policies that make up the service policy, use the following commands beginning in global configuration mode:
To configure more than one class in the same policy map, repeat Step 2 and Step 3.
Configuring the Class-Default Class Policy
The class-default class is used to classify traffic that does not fall into one of the defined classes. Even though the class-default class is predefined when you create the policy map, you still have to configure it. If a default class is not configured, then traffic that does not match any of the configured classes is given best-effort treatment, which means that the network will deliver the traffic if it can, without any assurance of reliability, delay prevention, or throughput.
To configure a policy map and the class-default class, use the following commands beginning in global configuration mode:
Attaching the Service Policy
To attach a service policy to the output interface and enable LLQ for IPSec encryption engines, use the following command in map-class configuration mode:
Verifying Configuration of Policy Maps and Their Classes
To display the contents of a specific policy map or all policy maps configured on an interface, use the following commands in EXEC mode, as needed:
Monitoring and Maintaining LLQ for IPSec Encryption Engines
To monitor and maintain LLQ for IPSec encryption engines, use the following command in EXEC mode:
Step 1
Router# show crypto eng qos
Displays quality of service queueing statistics for LLQ for IPSec encryption engines.
For a more detailed list of commands that can be used to monitor LLQ for IPSec encryption engines, see the section "Verifying Configuration of Policy Maps and Their Classes"
Configuration Examples
This section provides the following configuration example:
•
LLQ for IPSec Encryption Engines Example
In the following example, a strict priority queue with a guaranteed allowed bandwidth of 50 kbps is reserved for traffic that is sent from the source address 10.10.10.10 to the destination address 10.10.10.20, in the range of ports 16384 through 20000 and 53000 through 56000.
First, the following commands configure access list 102 to match the desired voice traffic:
Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 16384 20000Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 53000 56000Next, the class map voice is defined, and the policy map called policy1 is created; a strict priority queue for the class voice is reserved, a bandwidth of 20 kbps is configured for the class bar, and the default class is configured for WFQ. The service-policy command then attaches the policy map to the fas0/0.
Router(config)# class-map voiceRouter(config-cmap)# match access-group 102Router(config)# policy-map policy1Router(config-pmap)# class voiceRouter(config-pmap-c)# priority 50Router(config-pmap)# class barRouter(config-pmap-c)# bandwidth 20Router(config-pmap)# class class-defaultRouter(config-pmap-c)# fair-queueRouter(config)# interface fastethernet0/0Router(config-if)# service-policy output policy1Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Quality of Service Solutions Command Reference at http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
Glossary
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec). Before any IPSec traffic can be passed, each router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
