- play_arrow Network Address Translation
- play_arrow NAT Overview
- play_arrow Stateful NAT64
- play_arrow Static Source NAT
- play_arrow Static Destination NAT
- play_arrow Network Address Port Translation
- play_arrow Deterministic NAT
- play_arrow NAT Protocol Translation
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT
- play_arrow Port Control Protocol
- play_arrow Secured Port Block Allocation
- play_arrow Port Forwarding
- play_arrow Dynamic Address-Only Source Translation
- play_arrow Inline NAT
- play_arrow Stateless Source Network Prefix Translation for IPv6
- play_arrow Monitoring NAT
- play_arrow Packet Translation and GRE Tunneling
-
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- play_arrow Transitioning to IPv6 Using MAP-E and MAP-T
- Mapping of Address and Port with Translation (MAP-T)
-
- play_arrow Transition to IPv6 With Softwires
- play_arrow Transition to IPv6 With 6to4 Softwires
- play_arrow Transition to IPv6 With DS-Lite Softwires
- play_arrow Transition to IPv6 With 6rd Softwires
- play_arrow Transition to IPv6 With Inline Softwires
- play_arrow Monitoring and Troubleshooting Softwires
-
- play_arrow ALGs
- play_arrow ALGs
-
- play_arrow Access Security
- play_arrow Stateful Firewalls
- play_arrow IDS on MS-DPC
- play_arrow Network Attack Protection on MS-MPC and MS-MIC
-
- play_arrow IPsec Tunnels
- play_arrow IPsec Overview
- play_arrow Inline IPsec
- play_arrow IPsec Tunnels With Static Endpoints
- play_arrow IPsec Tunnels With Dynamic Endpoints
-
- play_arrow CoS on Services Cards
- play_arrow CoS on Services Cards
- play_arrow Class of Service on Link Services Interfaces
-
- play_arrow Inter-Chassis Redundancy for NAT and Stateful Firewall Flows
- play_arrow Configuring Inter-Chassis MS-MPC and MS-MIC for NAT and Stateful Firewall (Release 16.1 and later)
- play_arrow Configuring Inter-Chassis Stateful Synchronization for NAT and Stateful Firewall (Release 15.1 and earlier)
-
- play_arrow Multilinks
- play_arrow Link Services Interface Redundancy
- play_arrow Link Bundling
-
- play_arrow Traffic Load Balancer
- play_arrow Traffic Load Balancer
-
- play_arrow Services Card Redundancy
- play_arrow Services Card Redundancy for MS-MPC and MS-MIC
- play_arrow Services Card Redundancy for Multiservices PIC
-
- play_arrow Voice Services
- play_arrow Voice Services
-
- play_arrow Layer 2 PPP Tunnels
- play_arrow Layer 2 Tunneling of PPP Packets
-
- play_arrow URL Filtering
- play_arrow URL Filtering
-
- play_arrow Configuration Statements and Operational Commands
Service Filters
Service Filters in ACX Series
When you apply a service set to the traffic at an inline services interface, you can optionally use service filters to refine the target of the set of services and also to process traffic. Service filters enable you to manipulate traffic by performing packet filtering to a defined set of services on an inline services interface before the traffic is delivered to its destination. In ACX Series routers, you can apply a service filter to traffic before packets are accepted for input service processing.
In ACX Series routers, the service-set filters
are implemented using ternary content addressable memory (TCAM) space.
The allocated TCAM space is shared by the bridge family filter. The
same space is shared by the NNI-Address-Overload-Reverse filter (for
each service set that is configured with address overloading, the
internal filters are configured for the given overloaded IP address
and the port range to redirect the matched reverse-nat (public to
private) traffic to the service). From a scaling perspective, the
allocated 124 hardware TCAM entries are shared by these features and
the allocation of TCAM entries works on a first-come-first-serve basis
mode.
See Also
Guidelines for Applying Service Filters
This topic covers the following information:
- Restrictions for Inline Services Interfaces
- Statement Hierarchy for Applying Service Filters
- Associating Service Rules with Inline Services Interfaces
- Filtering Traffic Before Accepting Packets for Service Processing
Restrictions for Inline Services Interfaces
You can apply a service filter to IPv4 traffic associated with a service set at an inline services interface only.
ACX Series routers do not support post-service filters.
Statement Hierarchy for Applying Service Filters
You can enable packet filtering of IPv4 traffic before a packet is accepted for input service processing. To do this, apply a service filter to the inline services interface input in conjunction with an interface service set.
The following configuration shows the hierarchy levels at which you can apply the service filters to inline services interfaces:
[edit]
interfaces {
interface-name {
unit unit-number {
family (inet | inet6) {
service {
input {
service-set service-set-name service-filter service-filter-name;
}
output {
[ service-set service-set-name <service-filter filter-name> ];
}
}
}
}
}
}
Associating Service Rules with Inline Services Interfaces
To define and group the service rules be applied to an inline
services interface, you define an interface service set by including the service-set service-set-name statement at the [edit services] hierarchy level.
To apply an interface service set to the input of an inline services interface, you include the service-set service-set-name at the following hierarchy levels:
[edit interfaces interface-name unit unit-number input]
Filtering Traffic Before Accepting Packets for Service Processing
To filter IPv4 traffic before accepting packets for input service processing, include the service-set service-set-name service-filter service-filter-name at the following hierarchy level:
[edit interfaces interface-name unit unit-number family inet service input]
For the service-set-name, specify
a service set configured at the [edit services service-set] hierarchy level.
The service set retains the input interface information even after services are applied, so that functions such as filter-class forwarding that depend on input interface information continue to work.
The following requirements apply to filtering inbound or outbound traffic before accepting packets for service processing:
You configure the same service set on the input and output sides of the interface.
If you include the
service-setstatement without an optional service-filter definition, Junos OS assumes that the match condition is true and selects the service set for processing automatically.The service filter is applied only if a service set is configured and selected.
See Also
Service Filter Match Conditions for IPv4 Traffic
In ACX Series, service filters support only a subset of the stateless firewall filter match conditions for IPv4 traffic. Table 1 describes the service filter match conditions.
Match Condition | Description | Protocol Families |
|---|---|---|
destination-address address | Match the IP destination address field. | family inet |
destination-port number | Match the UDP or TCP destination port field. You cannot specify both the port and destination-port match conditions in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. | family inet |
ip-options values | Match the 8-bit IP option field, if present, to the specified value or list of values. | family inet |
protocol number | Match the IP protocol type field. | family inet |
source-address address | Match the IP source address. | family inet |
source-port number | Match the UDP or TCP source port field. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. | family inet |
tcp-flags value | Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port. | family inet |
See Also
Service Filter Actions
ACX Series support different sets of terminating and nonterminating actions that you can configure in a service filter term.
Service filters do not support the next term action.
Table 2 describes the terminating actions you can configure in a service filter term.
Terminating Action | Description | Protocol Families |
|---|---|---|
service | Direct the packet to service processing. | inet |
Table 3 describes the nonterminating actions you can configure in a service filter term.
Nonterminating Action | Description | Protocol Families |
|---|---|---|
| Accept the packet. | inet |
count counter-name | Count the packet in the named counter. | inet |
log | Log the packet header information in a buffer within
the Packet Forwarding Engine. You can access this information by issuing
the | inet |
port-mirror | Port-mirror the packet based on the specified family. | inet |
