Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Service Sets to Be Applied to Services Interfaces

    You can configure an inline-services interface on which a service is to be performed. Services interfaces are used with either of the service set types described in the following sections.

    Configuring Services Interface

    An interface service set is used as an action modifier across an entire interface. To configure the services interface, include the interface-service statement at the [edit services service-set service-set-name] hierarchy level:

    [edit services service-set service-set-name]

    Only the interface name is needed, because Junos OS manages logical unit numbers automatically. The services interface must be an inline-services interface for which you have configured unit 0 family inet at the [edit interfaces interface-name] hierarchy level.

    When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the Network Address Translation (NAT) engine.

    To associate a defined service set with an interface, include the service-set statement with the input and output statement at the [edit interfaces interface-name unit logical-unit-number family inet service] hierarchy level:

    [edit interfaces interface-name unit logical-unit-number family inet service]
    input {
    service-set service-set-name <service-filter filter-name>;
    output {
    service-set service-set-name <service-filter filter-name>;

    You configure the same service set on the input and output sides of the interface. You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, Junos OS assumes that the match condition is true and selects the service set for processing automatically.

    Note: If you configure service sets with filters, you must configure the service sets on the input and output sides of the interface.

    Configuring Next-Hop Service Sets

    A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes. This configuration is useful when services need to be applied to an entire virtual routing and forwarding (VRF) table, or when routing decisions determine that services need to be performed.

    When a next-hop service is configured, the IPsec or NAT engine is considered to be a two-part interface, with one part configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).

    To configure the service domain, include the service-domain statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:

    [edit interfaces interface-name unit logical-unit-number]
    service-domain (inside | outside);

    The service-domain setting must match the configuration for the next-hop’s inside and outside services interfaces. To configure the inside and outside services interfaces, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level. The interfaces you specify must be logical interfaces on the same NAT engine. You cannot configure unit 0 for this purpose, and the logical interface you choose must not be used by another service set.

    inside-service-interface interface-name.unit-number;
    outside-service-interface interface-name.unit-number;

    Traffic on which the service is applied is forced to the inside interface using a static route. For example:

    routing-options {
    static {
    route next-hop si-0/0/0.1;

    After the service is applied, traffic exits through the outside interface. A lookup is then performed in the Packet Forwarding Engine to send the packet out of the NAT engine.

    The reverse traffic enters the outside interface, is serviced, and sent to the inside interface. The inside interface forwards the traffic out of the NAT engine.

    Determining Traffic Direction

    When you configure next-hop service sets, the IPsec or NAT engine functions as a two-part interface, in which one part is the inside interface and the other part is the outside interface. The following sequence of actions takes place:

    1. To associate the two parts with logical interfaces, you configure two logical interfaces with the service-domain statement, one with the inside value and one with the outside value, to mark them as either an inside or outside service interface.
    2. The router forwards the traffic to be serviced to the inside interface, using the next-hop lookup table.
    3. After the service is applied, the traffic exits from the outside interface. A route lookup is then performed on the packets to be sent out of the router.
    4. When the reverse traffic returns on the outside interface, the applied service is undone; for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced packets then emerge on the inside interface, the router performs a route lookup, and the traffic exits the router.

    A service rule’s match direction—whether input, output, or input and output—is applied with respect to the traffic flow through the NAT engine, not through a specific inside or outside interface.

    When a packet is sent to an NAT engine, packet direction information is carried along with it. This is true for both interface-style and next-hop-style service sets.

    Interface-Style Service Sets

    Packet direction is determined by whether a packet is entering or leaving any Packet Forwarding Engine interface (with respect to the forwarding plane) on which the interface-service statement is applied. This is similar to the input direction for stateless firewall filters.

    The match direction can also depend on the network topology. For example, you might route all the external traffic through one interface that is used to protect the other interfaces on the router, and configure various services on this interface specifically. Alternatively, you might use one interface for priority traffic and configure special services on it, but not care about protecting traffic on the other interfaces.

    Next-Hop-Style Service Sets

    Packet direction that is determined by the NAT engine is used to route packets to the NAT engine. If you use the inside-interface statement to route traffic, then the packet direction is input. If you use the outside-interface statement to direct packets to the NAT engine, then the packet direction is output.

    The interface to which you apply the service sets affects the match direction. For example, apply the following configuration:

    si-0/0/0 unit 1 service-domain inside;
    si-0/0/0 unit 2 service-domain outside;

    If you configure match-direction input, you include the following statements:

    services service-set test1 next-hop-service inside-service-interface si-0/0/0.1;
    services service-set test1 next-hop-service outside-service-interface si-0/0/0.2;
    services ipsec-vpn rule test-ipsec-rule match-direction input;
    routing-options static route next-hop si-0/0/0.1;

    The essential difference between the two configurations is the change in the match direction and the static routes’ next hop, pointing to either the NAT engine’s inside or outside interface.

    Modified: 2017-09-13