Tunnel-Service Interface Considerations
Provisioning Tunnel-Service Interfaces
Copyright © 2010, Juniper Networks, Inc.
In either case, the interface becomes available (operational state up) when the rekeying
operation is completed successfully. If the rekeying operation fails for reasons such as
an unreachable remote end or a policy mismatch, the router waits a certain number of
minutes and then tries again.
The wait time increases after each unsuccessful rekeying attempt, and follows a
progressive pattern. This pattern gradually increases in intervals, starting at 1 minute and
reaching a maximum interval of 60 minutes. The 60-minute interval repeats indefinitely.
When the rekeying operation is completed successfully, the pattern starts again.
If no ISM is available to which the router can reassign the interface, the interface remains
in the not present state until an ISM becomes available. As a result, the distribution of
dedicated ISM interfaces over the modules might become uneven.
To configure a tunnel-server port, you assign the maximum number of tunnel-service
interfaces to run on the specified tunnel-server port. This process is referred to as
provisioning. Conversely, the process of reducing the maximum number of tunnel-service
interfaces on a tunnel-server port to zero is referred to as unprovisioning the port.
This section describes the considerations for provisioning and unprovisioning
tunnel-service interfaces on dedicated and shared tunnel-server ports.
For instructions on how to provision and unprovision tunnel-service interfaces, see
"Configuring Tunnel-Server Ports and Tunnel-Service Interfaces" on page 217 .
By default, dedicated tunnel-server ports are configured to have the maximum number
of tunnel-service interfaces that the dedicated tunnel-server module supports. You can
reduce the maximum number of interfaces or completely unprovision the port by issuing
the max-interfaces command.
By default, shared tunnel-server ports are configured to have no tunnel-service interfaces.
To provision tunnel-service interfaces on shared tunnel-server ports, you must provision
the port by assigning a nonzero maximum number of tunnel-service interfaces to run on
the port by issuing the max-interfaces command.
Bandwidth Limitations of Shared Tunnel-Server Ports
Bandwidth limitations for shared tunnel-server ports and tunnel-service interfaces depend
on bandwidth restrictions, if any, that are in effect for the module on which the shared
tunnel-server port resides.
For the ES2 10G ADV LMs shared tunnel-server ports, you can reserve a percentage of
the total bandwidth available for forwarding using the reserve-bandwidth command.
The reserve-bandwidth command is not supported for other line modules that support
tunnel-server configuration.
Chapter 6: Managing Tunnel-Service and
IPSec-Service Interfaces
215