Interface-Style Service Sets; Next-Hop-Style Service Sets - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
Related
Documentation
1034
packets then emerge on the inside interface, the router performs a route lookup, and
the traffic exits the router.
A service rule's match direction—whether input, output, or input and output—is applied
with respect to the traffic flow through the NAT engine, not through a specific inside or
outside interface.
When a packet is sent to an NAT engine, packet direction information is carried along
with it. This is true for both interface-style and next-hop-style service sets.

Interface-Style Service Sets

Packet direction is determined by whether a packet is entering or leaving any Packet
Forwarding Engine interface (with respect to the forwarding plane) on which the
statement is applied. This is similar to the input direction for stateless
interface-service
firewall filters.
The match direction can also depend on the network topology. For example, you might
route all the external traffic through one interface that is used to protect the other
interfaces on the router, and configure various services on this interface specifically.
Alternatively, you might use one interface for priority traffic and configure special services
on it, but not care about protecting traffic on the other interfaces.

Next-Hop-Style Service Sets

Packet direction that is determined by the NAT engine is used to route packets to the
NAT engine. If you use the
direction is input . If you use the
engine, then the packet direction is
The interface to which you apply the service sets affects the match direction. For example,
apply the following configuration:
si-0/0/0 unit 1 service-domain inside;
si-0/0/0 unit 2 service-domain outside;
If you configure
match-direction input
[edit]
services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
services ipsec-vpn rule test-ipsec-rule match-direction input;
routing-options static route 10.0.0.0/24 next-hop si-0/0/0.1;
The essential difference between the two configurations is the change in the match
direction and the static routes' next hop, pointing to either the NAT engine's inside or
outside interface.
Network Address Translation Overview on page 999
Network Address Port Translation Overview on page 1001
IPsec for ACX Series Overview on page 1087
Enabling Inline Services Interface on ACX Series on page 1008
statement to route traffic, then the packet
inside-interface
outside-interface statement to direct packets to the NAT
.
output
, you include the following statements:
Copyright © 2017, Juniper Networks, Inc.