Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Service Filters

 

Service Filters in ACX Series

When you apply a service set to the traffic at an inline services interface, you can optionally use service filters to refine the target of the set of services and also to process traffic. Service filters enable you to manipulate traffic by performing packet filtering to a defined set of services on an inline services interface before the traffic is delivered to its destination. In ACX Series routers, you can apply a service filter to traffic before packets are accepted for input service processing.

Note

In ACX Series routers, the service-set filters are implemented using ternary content addressable memory (TCAM) space. The allocated TCAM space is shared by the bridge family filter. The same space is shared by the NNI-Address-Overload-Reverse filter (for each service set that is configured with address overloading, the internal filters are configured for the given overloaded IP address and the port range to redirect the matched reverse-nat (public to private) traffic to the service). From a scaling perspective, the allocated 124 hardware TCAM entries are shared by these features and the allocation of TCAM entries works on a first-come-first-serve basis mode.

Guidelines for Applying Service Filters

This topic covers the following information:

Restrictions for Inline Services Interfaces

You can apply a service filter to IPv4 traffic associated with a service set at an inline services interface only.

ACX Series routers do not support post-service filters.

Statement Hierarchy for Applying Service Filters

You can enable packet filtering of IPv4 traffic before a packet is accepted for input service processing. To do this, apply a service filter to the inline services interface input in conjunction with an interface service set.

The following configuration shows the hierarchy levels at which you can apply the service filters to inline services interfaces:

Associating Service Rules with Inline Services Interfaces

To define and group the service rules be applied to an inline services interface, you define an interface service set by including the service-set service-set-name statement at the [edit services] hierarchy level.

To apply an interface service set to the input of an inline services interface, you include the service-set service-set-name at the following hierarchy levels:

  • [edit interfaces interface-name unit unit-number input]

Filtering Traffic Before Accepting Packets for Service Processing

To filter IPv4 traffic before accepting packets for input service processing, include the service-set service-set-name service-filter service-filter-name at the following hierarchy level:

  • [edit interfaces interface-name unit unit-number family inet service input]

For the service-set-name, specify a service set configured at the [edit services service-set] hierarchy level.

The service set retains the input interface information even after services are applied, so that functions such as filter-class forwarding that depend on input interface information continue to work.

The following requirements apply to filtering inbound or outbound traffic before accepting packets for service processing:

  • You configure the same service set on the input and output sides of the interface.

  • If you include the service-set statement without an optional service-filter definition, Junos OS assumes that the match condition is true and selects the service set for processing automatically.

  • The service filter is applied only if a service set is configured and selected.

Service Filter Match Conditions for IPv4 Traffic

In ACX Series, service filters support only a subset of the stateless firewall filter match conditions for IPv4 traffic. Table 1 describes the service filter match conditions.

Table 1: Service Filter Match Conditions for IPv4 Traffic

Match Condition

Description

Protocol Families

destination-address address

Match the IP destination address field.

family inet

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

family inet

ip-options values

Match the 8-bit IP option field, if present, to the specified value or list of values.

family inet

protocol number

Match the IP protocol type field.

family inet

source-address address

Match the IP source address.

family inet

source-port number

Match the UDP or TCP source port field.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

family inet

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

family inet

Service Filter Actions

ACX Series support different sets of terminating and nonterminating actions that you can configure in a service filter term.

Note

Service filters do not support the next term action.

Table 2 describes the terminating actions you can configure in a service filter term.

Table 2: Terminating Actions for Service Filters

Terminating Action

Description

Protocol Families

service

Direct the packet to service processing.

inet

Table 3 describes the nonterminating actions you can configure in a service filter term.

Table 3: Nonterminating Actions for Service Filters

Nonterminating Action

Description

Protocol Families

accept

Accept the packet.

inet

count counter-name

Count the packet in the named counter.

inet

log

Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI).

inet

port-mirror

Port-mirror the packet based on the specified family.

inet