Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Service Sets to be Applied to Services Interfaces


You configure a services interface to specify the adaptive services interface on which the service is to be performed. Services interfaces are used with either of the service set types described in the following sections.

Configuring Interface Service Sets

An interface service set is used as an action modifier across an entire interface. To configure the services interface, include the interface-service statement at the [edit services service-set service-set-name] hierarchy level:

Only the device name is needed, because the router software manages logical unit numbers automatically. The services interface must be an adaptive services interface for which you have configured unit 0 family inet at the [edit interfaces interface-name hierarchy level.

When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. When you apply the service set to an interface, it automatically ensures that packets are directed to the PIC.

To associate a defined service set with an interface, include a service-set statement with the input or output statement at the [edit interfaces interface-name unit logical-unit-number family inet service] hierarchy level:

If a packet is entering the interface, the match direction is input. If a packet is leaving the interface, the match direction is output. The service set retains the input interface information even after services are applied, so that functions such as filter-class forwarding and destination class usage (DCU) that depend on input interface information continue to work.

You configure the same service set on the input and output sides of the interface. You can optionally include filters associated with each service set to refine the target and additionally process the traffic. If you include the service-set statement without a service-filter definition, the router software assumes the match condition is true and selects the service set for processing automatically.


If you configure service sets with filters, they must be configured on the input and output sides of the interface.

You can include more than one service set definition on each side of the interface. If you include multiple service sets, the router software evaluates them in the order in which they appear in the configuration. The system executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions. A maximum of six service sets can be applied to an interface. When you apply multiple service sets to an interface, you must also configure and apply a service filter to the interface.

An additional statement allows you to specify a filter for processing the traffic after the input service set is executed. To configure this type of filter, include the post-service-filter statement at the [edit interfaces interface-name unit logical-unit-number family inet service input] hierarchy level:

The post-service-filter statement is not supported when the service interface is on an MS-MIC or MS-MPC.

For an example, see Example: Configuring Service Sets.


With interface-style service sets that are configured with Junos OS extension-provide packages, the traffic fails to get serviced when the ingress interface is part of a VRF instance and the service interface is not part of the same VRF instance.


When the MultiServices PIC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level. When this statement is configured, the affected packets are forwarded in the event of a MultiServices PIC failure or offlining, as though interface-style services were not configured. This issue applies only to Junos Application Aware (previously known as Dynamic Application Awareness) configurations using IDP service sets. This forwarding feature worked only with the Packet Forwarding Engine (PFE) initially. Starting with Junos OS Release 11.3, the packet-forwarding feature is extended to packets generated by the Routing Engine for bypass service sets as well.

Configuring Next-Hop Service Sets

A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes. This configuration is useful when services need to be applied to an entire virtual private network (VPN) routing and forwarding (VRF) table, or when routing decisions determine that services need to be performed.

When a next-hop service is configured, the AS or Multiservices PIC is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).


You can create IFL indexes greater than 8000 only if the interface service set is not configured.

To configure the domain, include the service-domain statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level:

The service-domain setting must match the configuration for the next-hop service inside and outside interfaces. To configure the inside and outside interfaces, include the next-hop-service statement at the [edit services service-set service-set-name] hierarchy level. The interfaces you specify must be logical interfaces on the same AS PIC. You cannot configure unit 0 for this purpose, and the logical interface you choose must not be used by another service set.

Traffic on which the service is applied is forced to the inside interface using a static route. For example:

After the service is applied, traffic exits by way of the outside interface. A lookup is then performed in the Packet Forwarding Engine (PFE) to send the packet out of the AS or Multiservices PIC.

The reverse traffic enters the outside interface, is serviced, and sent to the inside interface. The inside interface forwards the traffic out of the AS or Multiservices PIC.

Determining Traffic Direction

When you configure next-hop service sets, the AS PIC functions as a two-part interface, in which one part is the inside interface and the other part is the outside interface. The following sequence of actions takes place:

  1. To associate the two parts with logical interfaces, you configure two logical interfaces with the service-domain statement, one with the inside value and one with the outside value, to mark them as either an inside or outside service interface.

  2. The router forwards the traffic to be serviced to the inside interface, using the next-hop lookup table.

  3. After the service is applied, the traffic exits from the outside interface. A route lookup is then performed on the packets to be sent out of the router.

  4. When the reverse traffic returns on the outside interface, the applied service is undone; for example, IPsec traffic is decrypted or NAT addresses are unmasked. The serviced packets then emerge on the inside interface, the router performs a route lookup, and the traffic exits the router.

A service rule’s match direction, whether input, output, or input/output, is applied with respect to the traffic flow through the AS PIC, not through a specific inside or outside interface.

When a packet is sent to an AS PIC, packet direction information is carried along with it. This is true for both interface style and next-hop style service sets.

Interface Style Service Sets

Packet direction is determined by whether a packet is entering or leaving any Packet Forwarding Engine interface (with respect to the forwarding plane) on which the interface-service statement is applied. This is similar to the input and output direction for stateless firewall filters.

The match direction can also depend on the network topology. For example, you might route all the external traffic through one interface that is used to protect the other interfaces on the router, and configure various services on this interface specifically. Alternatively, you might use one interface for priority traffic and configure special services on it, but not care about protecting traffic on the other interfaces.

Next-Hop Style Service Sets

Packet direction is determined by the AS PIC interface used to route packets to the AS PIC. If you use the inside-interface statement to route traffic, then the packet direction is input. If you use the outside-interface statement to direct packets to the AS PIC, then the packet direction is output.

The interface to which you apply the service sets affects the match direction. For example, apply the following configuration:

If you configure match-direction input, you include the following statements:

If you configure match-direction output, you include the following statements:

The essential difference between the two configurations is the change in the match direction and the static routes’ next hop, pointing to either the AS PIC's inside or outside interface.