The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This feature module describes the LLQ for IPsec encryption engines feature and includes the following sections:
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
LLQ for IPsec encryption engines helps reduce packet latency by introducing the concept of queueing before crypto engines. Prior to this, the crypto processing engine gave data traffic and voice traffic equal status. Administrators now designate voice traffic as priority. Data packets arriving at a router interface are directed into a data packet inbound queue for crypto engine processing. This queue is called the best effort queue. Voice packets arriving on a router interface are directed into a priority packet inbound queue for crypto engine processing. This queue is called the priority queue. The crypto engine undertakes packet processing in a favorable ratio for voice packets. Voice packets are guaranteed a minimum processing bandwidth on the crypto engine.
The LLQ for IPsec encryption engines feature guarantees a certain level of crypto engine processing time for priority designated traffic.
Voice packets can be identified as priority, allowing the crypto engine to guarantee a certain percentage of processing bandwidth. This feature impacts the end user experience by assuring voice quality if voice traffic is directed onto a congested network.
Predictability is a critical component of network performance. The LLQ for IPsec encryption engines feature delivers network traffic predictability relating to VPN. With this feature disabled, an end user employing an IP phone over VPN might experience jitter or latency, both symptoms of overall network latency and congestion. With this feature enabled, these undesirable characteristics are dissipated.
No new or modified standards are supported by this feature.
No new or modified standards are supported by this feature.
To locate and download MIBs for selected platforms, Cisco IOS XE Software releases, and feature sets, use Cisco MIB Locator found at the following URL:
No new or modified RFCs are supported by this feature.
To use this feature, you should be familiar with the following:
To configure LLQ for IPsec encryption engines, perform the tasks described in the following sections.
To configure a policy map and create class policies that make up the service policy, begin with the policy-map command to specify the policy map name. Then use one or more of the following commands to configure the policy for a standard class or the default class:
For each class that you define, you can use one or more of the commands listed to configure the class policy. For example, you might specify bandwidth for one class and both bandwidth and queue limit for another class.
The default class of the policy map (commonly known as the class-default class) is the class to which traffic is directed if that traffic does not satisfy the match criteria of the other classes defined in the policy map.
You can configure class policies for as many classes as are defined on the router, up to the maximum of 64. However, the total amount of bandwidth allocated for all classes in a policy map must not exceed the minimum committed information rate (CIR) configured for the virtual circuit (VC) minus any bandwidth reserved by the frame-relay voice bandwidth and frame-relay ip rtp priority commands. If the minimum CIR is not configured, the bandwidth defaults to one half of the CIR. If all of the bandwidth is not allocated, the remaining bandwidth is allocated proportionally among the classes on the basis of their configured bandwidth.
Command or Action | Purpose | |
---|---|---|
|
|
Specifies the name of the policy map to be created or modified. |
|
|
Specifies the name of a class to be created and included in the service policy. |
|
|
Creates a strict priority class and specifies the amount of bandwidth, in kbps, to be assigned to the class. |
Command or Action | Purpose | |||
---|---|---|---|---|
|
|
Specifies the name of the policy map to be created or modified. |
||
|
|
Specifies the name of a class to be created and included in the service policy. |
||
|
|
Specifies the amount of bandwidth to be assigned to the class, in kbps, or as a percentage of the available bandwidth. Bandwidth must be specified in kbps or as a percentage consistently across classes. (Bandwidth of the priority queue must be specified in kbps.)
|
Command or Action | Purpose | |
---|---|---|
|
|
Specifies the interface using the LLQ for IPsec encryption engines. |
|
|
Attaches the specified service policy map to the output interface and enables LLQ for IPsec encryption engines. |
Command or Action | Purpose | |
---|---|---|
|
|
Displays statistics about the PVC and the configuration of classes for the policy map on the specified data-link connection identifier (DLCI). |
|
|
When LLQ is configured, displays the configuration of classes for all policy maps. |
|
|
When LLQ is configured, displays the configuration of classes for the policy map on the specified DLCI. |
Command or Action | Purpose | |
---|---|---|
|
|
Displays quality of service queueing statistics for LLQ for IPsec encryption engines. |
In the following example, a strict priority queue with a guaranteed allowed bandwidth of 50 kbps is reserved for traffic that is sent from the source address 10.10.10.10 to the destination address 10.10.10.20, in the range of ports 16384 through 20000 and 53000 through 56000.
First, the following commands configure access list 102 to match the desired voice traffic:
Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 16384 20000 Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 53000 56000
Next, the class map voice is defined, and the policy map called policy1 is created; a strict priority queue for the class voice is reserved, a bandwidth of 20 kbps is configured for the class bar, and the default class is configured for WFQ. The service-policy command then attaches the policy map to the fas0/0.
Router(config)# class-map voice Router(config-cmap)# match access-group 102 Router(config-cmap)# exit Router(config)# policy-map policy1 Router(config-pmap)# class voice Router(config-pmap-c)# priority 50 Router (config-cmap-c)# exit Router(config-pmap)# class bar Router(config-pmap-c)# bandwidth 20 Router(config-cmap-c)# exit Router(config-pmap)# class class-default Router(config-pmap-c)# fair-queue Router(config-cmap-c)# exit Router(config-cmap)# exit Router(config)# interface fastethernet0/0/0 Router(config-if)# service-policy output policy1
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.