Packet direction is determined by the AS PIC interface used to route packets to the AS PIC. If you use the inside-interface statement to route traffic, then the packet direction is input. If you use the outside-interface statement to direct packets to the AS PIC, then the packet direction is output.
The interface to which you apply the service sets affects the match direction. For example, apply the following configuration:
- sp-1/1/0 unit 1 service-domain inside;
- sp-1/1/0 unit 2 service-domain outside;
If you configure match-direction input, you include the following:
- [edit]
- services service-set test1 next-hop-service inside-service-interface
sp-1/0/0.1;
- services service-set test1 next-hop-service outside-service-interface
sp-1/0/0.2;
- services ipsec-vpn rule test-ipsec-rule match-direction
input;
- routing-options static route 10.0.0.0/24 next-hop sp-1/1/0.1;
If you configure match-direction output, you include the following:
- [edit]
- services service-set test2 next-hop-service inside-service-interface
sp-1/0/0.1;
- services service-set test2 next-hop-service outside-service-interface
sp-1/0/0.2;
- services ipsec-vpn rule test-ipsec-rule match-direction
output;
- routing-options static route 10.0.0.0/24 next-hop sp-1/1/0.2;
The essential difference between the two configurations is the change in the match direction and the static routes’ next hop, pointing to either the AS PIC's inside or outside interface.