A tunnel-group is a collection of MS-ISA2s (mda-type isa2-tunnel) or ESA-VM (vm-type tunnel) configured to handle the termination of one or more IPsec, GRE or IP-IP tunnels. Two example tunnel-group configurations are shown below:
config isa
tunnel-group 1 create
primary 1/1
backup 2/1
no shutdown
exit
config isa
tunnel-group 2 create
multi-active
mda 3/1
mda 3/2
no shutdown
config isa
tunnel-group 3 create
multi-active
esa-vm 3/1
esa-vm 4/1
no shutdown
A GRE, IP-IP, or IPsec tunnel belongs to only one tunnel group. There are two types of tunnel groups:
single-active tunnel-group
A single-active tunnel-group can have one tunnel-ISA designated as primary and optionally one other tunnel-ISA designated as backup. If the primary ISA fails the affected failed tunnels are re-established on the backup (which is effectively a cold standby) if it is not already in use as a backup for another tunnel-group.
multi-active tunnel-group
A multi-active tunnel-group can have multiple tunnel-ISAs designated as primary. This is only supported on the 7750 SR-7/SR-12/SR-12E/c-12/SR-1e/SR-2e/SR-3e, 7450 ESS, or the VSR. Only one ISA is supported on VSR.
A multi-active tunnel is the recommended tunnel-group type. Certain features like MC-IPsec are only supported with a multi-active tunnel-group.
The ESA-VM is only supported in a multi-active tunnel-group.
Note that the ESA-VM and ISA/ISA2 cannot coexist in the same tunnel-group.
The show isa tunnel-group command allows the operator to view information about all configured tunnel groups. This command displays the following information for each tunnel-group: group ID, primary tunnel-ISAs, backup tunnel-ISAs, active tunnel-ISAs, admin state and oper state.
There are three thresholds that are used to monitor memory usage in a tunnel ISA:
max-threshold
When the memory usage of an ISA exceeds this threshold, any new IKE states are rejected.
high-watermark
When the memory usage of an ISA exceed this threshold, a trap is generated.
low-watermark
When the memory usage of an ISA fall below this threshold, a clear trap is generated.
These three thresholds are fixed, not configurable.
A tunnel-group has an isa-scale-mode, which defines the maximum number of all tunnels (all types combined) which can be established on each ISA of the tunnel group. This is currently fixed at 32,000 tunnels per ISA. This value is different on VSR and vSIM, see the corresponding User Guides for details.