Adaptive Services Overview
MultiServices PICs and MultiServices Dense Port Concentrators (MS-DPCs) provide adaptive services interfaces, which allow you to coordinate multiple services on a single PIC by configuring a set of services and applications. MultiServices PICs and MS-DPCs offer a special range of services you configure in one or more service sets.
The MultiServices PIC is available in three versions, the MultiServices 100, the MultiServices 400, and the MultiServices 500, which differ in memory size and performance. All versions offer enhanced performance in comparison with AS PICs. MultiServices PICs are supported on M Series and T Series routers except M20 routers.
The MultiServices DPC is available for MX Series routers; it includes a subset of the functionality supported on the MultiServices PIC. Currently the MultiServices DPC supports the following Layer 3 services: stateful firewall, NAT, IDS, IPsec, active flow monitoring, RPM, and generic routing encapsulation (GRE) tunnels (including GRE key and fragmentation); it also supports graceful Routing Engine switchover (GRES) and Dynamic Applicaton Awareness for Junos OS. For more information about supported packages, see Enabling Service Packages.
It is also possible to group several Multiservices PICs into an aggregated Multiservices (AMS) system. An AMS configuration eliminates the need for separate routers within a system. The primary benefit of having an AMS configuration is the ability to support load balancing of traffic across multiple services PICs. Starting with Junos OS 11.4, all MX Series routers will support high availability (HA) and Network Address Translation (NAT) on AMS infrastructure. See Configuring Load Balancing on AMS Infrastructure for more information.
The MultiServices PICs are polling based and not interrupt based; as a result, a high value in the show chassis pic “Interrupt load average” field may not mean that the PIC has reached its maximum limit of processing.
The following services are configured within a service set and are available only on adaptive services interfaces:
Stateful firewall—A type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic.
Network Address Translation (NAT)—A security procedure for concealing host addresses on a private network behind a pool of public addresses.
Intrusion detection service (IDS)—A set of tools for detecting, redirecting, and preventing certain kinds of network attack and intrusion.
IP Security (IPsec)—A set of tools for configuring manual or dynamic security associations (SAs) for encryption of data traffic.
Class of service (CoS)—A subset of CoS functionality for services interfaces, limited to DiffServ code point (DSCP) marking and forwarding-class assignment. CoS BA classification is not supported on services interfaces.
The configuration for these services comprises a series of rules that you can arrange in order of precedence as a rule set. Each rule follows the structure of a firewall filter, with a from statement containing input or match conditions and a then statement containing actions to be taken if the match conditions are met.
The following services are also configured on the MultiServices PICs and MS-DPCs, but do not use the rule set definition:
Layer 2 Tunneling Protocol (L2TP)—A tool for setting up secure tunnels using Point-to-Point Protocol (PPP) encapsulation across Layer 2 networks.
Link Services Intelligent Queuing (LSQ)—Interfaces that support Junos OS class-of-service (CoS) components, link fragmentation and interleaving (LFI) (FRF.12), Multilink Frame Relay (MLFR) user-to-network interface (UNI) network-to-network interface (NNI) (FRF.16), and Multilink PPP (MLPPP).
Voice services—A feature that uses the Compressed Real-Time Transport Protocol (CRTP) to enable voice over IP traffic to use low-speed links more effectively.
In addition, Junos OS includes the following tools for configuring services:
Application protocols definition—Allows you to configure properties of application protocols that are subject to processing by router services, and group the application definitions into application sets.
Service-set definition—Allows you to configure combinations of directional rules and default settings that control the behavior of each service in the service set.
Logging of adaptive services interfaces messages to an external server by means of the fxp0 port is not supported on M Series routers. The architecture does not support system logging traffic out of a management interface. Instead, access to an external server is supported on a Packet Forwarding Engine interface.