Interface-Style Service Sets; Next-Hop-Style Service Sets - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
1094
To associate the two parts with logical interfaces, you configure two logical interfaces
1.
with the
service-domain
value, to mark them as either an inside or outside service interface.
The router forwards the traffic to be serviced to the inside interface, using the next-hop
2.
lookup table.
After the service is applied, the traffic exits from the outside interface. A route lookup
3.
is then performed on the packets to be sent out of the router.
When the reverse traffic returns on the outside interface, the applied service is undone;
4.
for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced
packets then emerge on the inside interface, the router performs a route lookup, and
the traffic exits the router.
A service rule's match direction—whether input, output, or input and output—is applied
with respect to the traffic flow through the NAT engine, not through a specific inside or
outside interface.
When a packet is sent to an NAT engine, packet direction information is carried along
with it. This is true for both interface-style and next-hop-style service sets.

Interface-Style Service Sets

Packet direction is determined by whether a packet is entering or leaving any Packet
Forwarding Engine interface (with respect to the forwarding plane) on which the
statement is applied. This is similar to the input direction for stateless
interface-service
firewall filters.
The match direction can also depend on the network topology. For example, you might
route all the external traffic through one interface that is used to protect the other
interfaces on the router, and configure various services on this interface specifically.
Alternatively, you might use one interface for priority traffic and configure special services
on it, but not care about protecting traffic on the other interfaces.

Next-Hop-Style Service Sets

Packet direction that is determined by the NAT engine is used to route packets to the
NAT engine. If you use the
direction is . If you use the
input
engine, then the packet direction is
The interface to which you apply the service sets affects the match direction. For example,
apply the following configuration:
si-0/0/0 unit 1 service-domain inside;
si-0/0/0 unit 2 service-domain outside;
If you configure
match-direction input
[edit]
services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
services ipsec-vpn rule test-ipsec-rule match-direction input;
routing-options static route 10.0.0.0/24 next-hop si-0/0/0.1;
statement, one with the
inside
inside-interface statement to route traffic, then the packet
statement to direct packets to the NAT
outside-interface
.
output
, you include the following statements:
value and one with the
outside
Copyright © 2017, Juniper Networks, Inc.