When you configure next-hop service sets, the AS
PIC functions as a two-part interface, in which one part is the inside interface and the other part is the outside interface. The following sequence of actions takes place:
To associate the two parts with logical interfaces, you
configure two logical interfaces with the service-domain statement,
one with the inside value and one with the outside value, to mark them as either an inside or outside service interface.
The router forwards the traffic to be serviced to the
inside interface, using the next-hop lookup table.
After the service is applied, the traffic exits from the
outside interface. A route lookup is then performed on the packets
to be sent out of the router.
When the reverse traffic returns on the outside interface,
the applied service is undone; for example, IPSec traffic is decrypted
or NAT addresses are unmasked. The serviced packets then emerge on
the inside interface, the router performs a route lookup, and the
traffic exits the router.
A service rule’s match direction, whether
input, output, or input/output, is applied with respect to the traffic
flow through the AS PIC, not through a specific inside or outside
interface.
When a packet is sent to an AS PIC, packet direction
information is carried along with it. This is true for both interface
style and next-hop style service sets.
