Guidelines for Applying Service Filters
Restrictions for Adaptive Services Interfaces
The following restrictions apply to adaptive services interfaces and service filters.
Adaptive Services Interfaces
You can apply a service filter to IPv4 or IPv6 traffic associated with a service set at an adaptive services interface only. Adaptive services interfaces are supported for the following hardware only:
Adaptive Services (AS) PICs on M Series and T Series routers
Multiservices (MS) PICs on M Series and T Series routers
MS DPCs on MX Series routers and EX Series switches
MS MPCs and MICs on MX Series routers
System Logging to a Remote Host from M Series Routers
Logging of adaptive services interfaces messages to an external server by means of the fxp0 or em0 port is not supported on M Series routers. The architecture
does not support system logging traffic out of a management interface. Instead, access to
an external server is supported on a Packet Forwarding Engine interface.
Statement Hierarchy for Applying Service Filters
You can enable packet filtering of IPv4 or IPv6 traffic before a packet is accepted for input or output service processing. To do this, apply a service filter to the adaptive services interface input or output in conjunction with an interface service set.
You can also enable packet filtering of IPv4 or IPv6 traffic that is returning to the Packet Forwarding Engine after input service processing completes. To do this, apply a post-service filter to the adaptive services interface input.
The following configuration shows the hierarchy levels at which you can apply the service filters to adaptive services interfaces:
[edit]
interfaces {
interface-name {
unit unit-number {
family (inet | inet6) {
service {
input {
service-set service-set-name service-filter service-filter-name;
post-service-filter service-filter-name;
}
output {
service-set service-set-name service-filter service-filter-name;
}
}
}
}
}
}
Associating Service Rules with Adaptive Services Interfaces
To define and group the service rules be applied to an adaptive services interface,
you define an interface service set by including the service-set service-set-name statement at the [edit services] hierarchy level.
To apply an interface service set to the input and output of an adaptive services interface,
you include the service-set service-set-name at the following hierarchy levels:
[edit interfaces interface-name unit unit-number input][edit interfaces interface-name unit unit-number output]
If you apply a service set to one direction of an adaptive services interface but do not apply a service set to the other direction, an error occurs when you commit the configuration.
The adaptive services PIC performs different actions depending on whether the packet is sent to the PIC for input service or for output service. For example, you can configure a single service set to perform Network Address Translation (NAT) in one direction and destination NAT (dNAT) in the other direction.
Filtering Traffic Before Accepting Packets for Service Processing
To filter IPv4 or IPv6 traffic before accepting packets for input or output service
processing, include the service-set service-set-name service-filter service-filter-name at one of the following
interfaces:
[edit interfaces interface-name unit unit-number family (inet | inet6) service input][edit interfaces interface-name unit unit-number family (inet | inet6) service output]
For the service-set-name, specify a service set configured
at the [edit services service-set] hierarchy level.
The service set retains the input interface information even after services are applied, so that functions such as filter-class forwarding and destination class usage (DCU) that depend on input interface information continue to work.
The following requirements apply to filtering inbound or outbound traffic before accepting packets for service processing:
You configure the same service set on the input and output sides of the interface.
If you include the
service-setstatement without an optionalservice-filterdefinition, the Junos OS assumes the match condition is true and selects the service set for processing automatically.The service filter is applied only if a service set is configured and selected.
You can include more than one service set definition on each side of an interface. The following guidelines apply:
If you include multiple service sets, the router (or switch) software evaluates them in the order in which they appear in the configuration. The system executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions.
A maximum of six service sets can be applied to an interface.
When you apply multiple service sets to an interface, you must also configure and apply a service filter to the interface.
Postservice Filtering of Returning Service Traffic
As an option to filtering of IPv4 or IPv6 input service traffic, you can apply a service
filter to IPv4 or IPv6 traffic that is returning to the services interface after the service
set is executed. To apply a service filter in this manner, include the post-service-filter service-filter-name statement at the [edit interfaces interface-name unit unit-number family (inet | inet6) service input] hierarchy level.