 |
Note: When you enable services on an interface, reverse-path forwarding is not supported. You cannot configure services on the management interface (fxp0) or the loopback interface (lo0). |
When you have defined and grouped the service rules by configuring the service-set definition, you can apply services to one or more interfaces installed on the router. To associate a defined service set with an interface, include the service-set statement at the [edit interfaces interface-name unit logical-unit-number family inet service (input | output)] hierarchy level:
- [edit interfaces interface-name unit logical-unit-number family inet service]
-
input {
-
service-set service-set-name <service-filter filter-name>;
-
post-service-filter filter-name;
- }
-
output {
-
service-set service-set-name <service-filter filter-name>;
- }
|
Note: When you enable services on an interface, reverse-path forwarding is not supported. You cannot configure services on the management interface (fxp0) or the loopback interface (lo0). |
You can configure different service sets on the input and output sides of the interface. However, for service sets with bidirectional service rules, you must include the same service set definition in both the input and output statements. Any service set you include in the service statement must be configured with the interface-service statement at the [edit services service-set service-set-name] hierarchy level; for more information, see Configuring Services Interfaces.
|
Note: If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an Internet Control Message Protocol (ICMP) error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction. Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service. |