- IPsec Anti-Replay Window Expanding and Disabling
- Pre-Fragmentation for IPsec VPNs
- Invalid Security Parameter Index Recovery
- IPsec Dead Peer Detection Periodic Message Option
- IPsec NAT Transparency
- DF Bit Override Functionality with IPsec Tunnels
- Crypto Access Check on Clear-Text Packets
- IPsec Security Association Idle Timers
- Low Latency Queueing for IPsec Encryption Engines
- Finding Feature Information
- Prerequisites for LLQ for IPsec Encryption Engines
- Restrictions for LLQ for IPsec Encryption Engines
- Information About LLQ for IPsec Encryption Engines
- How to Configure LLQ for IPsec Encryption Engines
- Configuration Examples for LLQ for IPsec Encryption Engines
- Additional References
- Feature Information for LLQ for IPsec Encryption Engines
- Glossary
Low Latency Queueing for IPsec Encryption Engines
The Low Latency Queueing (LLQ) for IPsec Encryption Engines feature helps reduce overall network latency and congestion by queueing priority designated traffic before it is processed by the crypto processing engine. This queueing guarantees a certain level of crypto engine processing time.
- Finding Feature Information
- Prerequisites for LLQ for IPsec Encryption Engines
- Restrictions for LLQ for IPsec Encryption Engines
- Information About LLQ for IPsec Encryption Engines
- How to Configure LLQ for IPsec Encryption Engines
- Configuration Examples for LLQ for IPsec Encryption Engines
- Additional References
- Feature Information for LLQ for IPsec Encryption Engines
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for LLQ for IPsec Encryption Engines
To use this feature, you should be familiar with the following:
- Access control lists
- Bandwidth management
- CBWFQ
Restrictions for LLQ for IPsec Encryption Engines
- No per-tunnel QoS policy. An interface QoS policy represents all tunnels.
- Assume the same IP precedence/DSCP marking for inbound and outbound voice packets.
- Assume the IP precedence/DSCP marking for voice packets are done at the source.
- Limited match criteria for voice traffic in the interface QoS policy.
- Assume call admission control is enforced within the enterprise.
- No strict error checking when aggregate policy's bandwidth exceeds crypto engine bandwidth. Only a warning is displayed but configuration is allowed.
- Assume voice packets are either all encrypted or unencrypted.
Information About LLQ for IPsec Encryption Engines
LLQ for IPsec Encryption Engines
Administrators can now use the Low Latency Queueing (LLQ) for IPsec Encryption Engines feature to prioritize voice and data traffic, which was previously only given equal status.
- Voice packets arriving on a router interface can be identified as priority and be directed into a priority packet inbound queue for crypto engine processing. This queue is called the priority queue. The crypto engine undertakes packet processing in a favorable ratio for voice packets. Voice packets are guaranteed a minimum processing bandwidth on the crypto engine. This feature impacts the end user experience by assuring voice quality if voice traffic is directed onto a congested network.
- Data packets arriving at a router interface are directed into a data packet inbound queue for crypto engine processing. This queue is called the best effort queue.
How to Configure LLQ for IPsec Encryption Engines
Perform the tasks described in this section to configure LLQ for IPsec Encryption Engines.
Note |
See the Quality of Service Solutions Command Reference to learn more about configuring server policies on interfaces. |
- Defining Class Maps (required)
- Configuring Class Policy in the Policy Map (required)
- Attaching the Service Policy (required)
- Viewing the LLQ for IPsec Encryption Engines Configuration (optional)
- Defining Class Maps
- Configuring Class Policy in the Policy Map
- Attaching the Service Policy
- Viewing the LLQ for IPsec Encryption Engines Configuration
- Viewing the LLQ for IPsec Encryption Engines Configuration
Defining Class Maps
The following steps are used to create a class map containing match criteria against which a packet is checked to determine if it belongs to a class:
DETAILED STEPS
Configuring Class Policy in the Policy Map
The default class of the policy map (commonly known as the class-default class) is the class to which traffic is directed if that traffic does not satisfy the match criteria of the other classes defined in the policy map.
You can configure class policies for as many classes as are defined on the router, up to the maximum of 64. However, the total amount of bandwidth allocated for all classes in a policy map must not exceed the minimum committed information rate (CIR) configured for the virtual circuit (VC) minus any bandwidth reserved by the frame-relay voice bandwidth and frame-relay ip rtp priority commands. If the minimum CIR is not configured, the bandwidth defaults to one half of the CIR. If all of the bandwidth is not allocated, the remaining bandwidth is allocated proportionally among the classes on the basis of their configured bandwidth.
To configure class policies in a policy map, perform the tasks described in the following sections.
- Configuring Class Policy for a Priority Queue (required)
- Configuring Class Policy Using a Specified Bandwidth (optional)
- Configuring the Class-Default Class Policy (optional)
- Configuring Class Policy for a Priority Queue
- Configuring Class Policy Using a Specified Bandwidth
- Configuring the Class-Default Class Policy
Configuring Class Policy for a Priority Queue
The following steps are used to configure a policy map and give priority to a class within the policy map:
DETAILED STEPS
Configuring Class Policy Using a Specified Bandwidth
The following steps are used to configure a policy map and create class policies that make up the service policy. To configure more than one class in the same policy map, repeat Step 2 and Step 3 .
DETAILED STEPS
Configuring the Class-Default Class Policy
The class-default class is used to classify traffic that does not fall into one of the defined classes. Even though the class-default class is predefined when you create the policy map, you still have to configure it. If a default class is not configured, then traffic that does not match any of the configured classes is given best-effort treatment, which means that the network will deliver the traffic if it can, without any assurance of reliability, delay prevention, or throughput.
The following steps are used to configure a policy map and the class-default class:
DETAILED STEPS
Attaching the Service Policy
The following steps are used to attach a service policy to the output interface and enable LLQ for IPsec encryption engines.
DETAILED STEPS
Viewing the LLQ for IPsec Encryption Engines Configuration
Viewing the LLQ for IPsec Encryption Engines Configuration
The following steps are used to view the contents of a specific policy map or all policy maps configured on an interface, and the LLQ for IPsec encryption engines:
DETAILED STEPS
Configuration Examples for LLQ for IPsec Encryption Engines
LLQ for IPsec Encryption Engines Example
In the following example, a strict priority queue with a guaranteed allowed bandwidth of 50 kbps is reserved for traffic that is sent from the source address 10.10.10.10 to the destination address 10.10.10.20, in the range of ports 16384 through 20000 and 53000 through 56000.
First, the following commands configure access list 102 to match the desired voice traffic:
Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 16384 20000 Router(config)# access-list 102 permit udp host 10.10.10.10 host 10.10.10.20 range 53000 56000
Next, the class map voice is defined, and the policy map called policy1 is created; a strict priority queue for the class voice is reserved, a bandwidth of 20 kbps is configured for the class bar, and the default class is configured for WFQ. The service-policy command then attaches the policy map to the fas0/0.
Router(config)# class-map voice Router(config-cmap)# match access-group 102 Router(config)# policy-map policy1 Router(config-pmap)# class voice Router(config-pmap-c)# priority 50 Router(config-pmap)# class bar Router(config-pmap-c)# bandwidth 20 Router(config-pmap)# class class-default Router(config-pmap-c)# fair-queue Router(config)# interface fas0/0 Router(config-if)# service-policy output policy1
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Cisco IOS Security Command Reference |
QoS Commands |
Cisco IOS Quality of Service Solutions Command Reference |
Weighted Fair Queueing |
Configuring Weighted Fair Queueing feature module. |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for LLQ for IPsec Encryption Engines
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Low Latency Queueing (LLQ) for IPsec Encryption Engines |
Feature Name |
Releases |
Feature Information |
---|---|---|
Feature Information for Low Latency Queueing (LLQ) for IPsec Encryption Engines |
12.2(13)T 12.2(14)S |
The Low Latency Queueing (LLQ) for IPsec Encryption Engines feature helps reduce overall network latency and congestion by queueing priority designated traffic before it is processed by the crypto processing engine. This queueing guarantees a certain level of crypto engine processing time. This feature was introduced in Cisco IOS Release 12.2(13)T. This feature was integrated into Cisco IOS Release 12.2(14)S. The following commands were introduced or modified: show crypto eng qos . |
Glossary
IKE --Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPsec). Before any IPsec traffic can be passed, each router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.
IPsec --IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.