Service Set Configuration in the Transit Application

The following is what the administrator might see when using the CLI to examine the transit application on the router:

user@host# show services
 
                service-set test {
                    interface-service {
                        service-interface ms-0/1/0;
                    }
                    extension-service jnx-flow 
                        rules rule-1;
                    }
                }
 
        user@host# show sdk
        
                jnpr {
                    jnx-flow {
                        rule rule-1 {
                            match-direction input;
                            from {
                                source-prefix 0.0.0.0/0;
                                dest-prefix 0.0.0.0/0;
                                protocol any;
                            }
                            then allow;
                        }
                    }
                }

The jnx-flow sample application defines the service set as follows:

 object services {
         
       flag no-struct;     

       object service-set {

              notify DNAME_JNX_FLOWD;

              flag no-struct;

              object extension-service {
                 
                   flag no-struct;

                   object rules {
                        help "One or more jnx-flow rules";
                        flag setof list;
                        define DDLAID_SVCS_SVC_SET_EXT_SERVICE_RULES;

                        attribute rule-name {
                            help "Rule name";
                            flag nokeyword identifier;
                            type ranged string 1 .. 64;
                            path-reference "sdk jnpr jnx-flow rule <*>";
                            must "sdk jnpr jnx-flow rule $$";
                            must-message "referenced jnx-flow rule must be defined";

                        }
                    }
              }
         }
    }
}

Earlier in the configuration, the application defines simple rules that either retain or drop the packet as follows:

object jnx-flow-rule-object {

        define DDLAID_JNX_FLOW_RULE;

        attribute rule-name {
                flag identifier nokeyword;
                flag mandatory;
                type ranged string 1 .. 64;
                help "jnx-flow rule name";
                cname "jnx_flow_rule_name";
        }

        attribute match-direction {
                help "Direction in which the rule is to be applied";

                type enum int {

                    choice input {
                        help "Match on input interface";
                        value 1;
                    }
                    choice output {
                        help "Match on output interface";
                        value 2;
                    }
                }
                default input;
        }
        attribute from {
                 help "Define match criteria";
                 flag mandatory;
                 type jnx-flow-match-object;
        }
        
        attribute then {
                 help "Define the action";

                 type enum int {

                        choice allow {
                               help "Allow the packets to pass";
                               value 1;
                        }
                        choice deny {
                               help "Drop the packets";
                               value 2;
                        }
                 }
                 default allow;
        }
}

The rule is applied according to the match conditions defined in another part of the configuration:

object jnx-flow-match-object {

        define DDLAID_JNX_FLOW_MATCH;

        attribute source-prefix {
                type ipv4prefix;
                help "Source Prefix for the rule match";
                cname "jnx_flow_rule_src_addr";
        }

        attribute destination-prefix {
                type ipv4prefix;
                help "Destination prefix for the rule match";
                cname "jnx_flow_rule_dst_addr";
        }

        attribute protocol {
                help "Protocol for the rule match";
                type enum int {

                        choice icmp {
                                help "ICMP protocol";
                                value 1;
                        }
                        
                        choice tcp {
                                help "TCP protocol";
                                value 6;
                        }

                        choice udp {
                                help "UDP protocol";
                                value 17;
                        }

                        choice  "any"{
                                help "Any protocol";
                                value 0;
                        }
                                
                }
                default "any";
                cname "jnx_flow_rule_proto";
        }

        attribute source-port {
                type ushort;
                help "Source port to match";
                cname "jnx_flow_rule_src_port";
                default 0;
        }

        attribute destination-port {
                type ushort;
                help "Destination port to match";
                cname "jnx_flow_rule_dst_port";
                default 0;
        }
}

On the router, the network administrator specifies settings like the following:

chassis {
	fpc 1 {
		pic 0 {
			adaptive-services {
				service-package {
					extension-provider {
						control-cores 1;
						data-cores 6;
						object-cache-size 512;
						package jnx-flow-data;
					}
				}
			}
		}
	}
}
	services {   
		logging {
			traceoptions {
				file spd world-readable;
				flag all;
				flag init;
			}
		}
		adaptive-services-pics {
			traceoptions {
				flag all;
		}
	}
		service-set test {
			next-hop-service {
				inside-service-interface ms-1/0/0.1;
				outside-service-interface ms-1/0/0.2;
			}
			extension-service jnx-flow {
				rules rule-1;
			}
		}
	}
	sdk {
		jnpr {
			jnx-flow {
				rule rule-1 {   
					match-direction input;
					from {
						source-prefix 0.0.0.0/0;
						destination-prefix 0.0.0.0/0;
						protocol any;
					}
					then allow;
				}
			}
		}
	}
	routing-instances {
		vrf-1 {
			instance-type vrf;
			interface ms-1/0/0.1;
			interface ge-0/0/2.0;
			route-distinguisher 1:1;
			vrf-import dummy;
			vrf-export dummy;
			routing-options {
				static {
					route 30.31.32.0/24 next-hop ms-1/0/0.1;
				}
			}
		}
		vrf-2 {
			instance-type vrf;
			interface ms-1/0/0.2;
			interface ge-0/0/3.0;
			route-distinguisher 1:2;
			vrf-import dummy;
			vrf-export dummy;
			routing-options {
				static {
					route 20.21.22.0/24 next-hop ms-1/0/0.2;
				}
			}
		}
	}
	interfaces {
		ms-1/0/0 {
			unit 0 {
				family inet;
			}
			unit 1 {
				family inet;
				service-domain inside;
			}
			unit 2 {
				family inet;
				service-domain outside;
			}
		}
		ge-0/0/2 {
			unit 0 {
				family inet {
					address 20.21.22.22/24 {
						arp 20.21.22.24 mac 00:01:02:03:04:05;
					}
				}
			}
		}
		ge-0/0/3 {
			unit 0 {
				family inet {
				address 30.31.32.32/24 {
					arp 30.31.32.34 mac 00:02:03:04:05:06;
				}
			}
		}
	}
}

Parsing the Service Set Configuration


2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:47 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5