multi-sa

Syntax

Hierarchy Level

Description

Negotiate multiple security association (SAs) based on configuration choice. Multiple SAs negotiates with the same traffic selector on the same IKE SA. By negotiating multiple SAs, the peer gateways have more replay windows. If the peer gateways create separate multiple SAs for the configured Forwarding-Classes (FC), then potentially a separate anti-replay window is available for each FC value. With this mapping, even if CoS can reorder packets, reordering is done with in a given multiple SA, thus avoiding packets drop due to the anti-replay checks.

Options

forwarding-class

Forwarding classes (FCs) allow you to group packets for transmission and to assign packets to output queues.

Values:
- expedited-forwarding—Provides a low-loss, low-latency, low-jitter, assured-bandwidth, end-to-end service.
- assured-forwarding—Provides a group of values you can define and includes four subclasses—AF1, AF2, AF3, and AF4—each with three drop probabilities (low, medium, and high).
- best-effort—Provides no service profile. For the BE forwarding class, loss priority is typically not carried in a class-of-service (CoS) value, and random early detection (RED) drop profiles are more aggressive.
- network-control—This class is typically high priority because it supports protocol control.

Required Privilege Level

security

Release Information

Statement introduced in Junos OS Release 18.2R1.

ON THIS PAGE