Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Understanding Service Sets

Junos OS enables you to create service sets that define a collection of services to be performed by an Adaptive Services interface (AS) or Multiservices line cards (MS-DPC, MS-MIC, and MS-MPC). You can configure the service set either as an interface style service set or as a next-hop style service set.

An interface service set is used as an action modifier across an entire interface. You can use an interface style service set when you want to apply services to packets passing through an interface.

A next-hop service set is a route-based method of applying a particular service. Only packets destined for a specific next hop are serviced by the creation of explicit static routes. This configuration is useful when services need to be applied to an entire virtual private network (VPN) routing and forwarding (VRF) table, or when routing decisions determine that services need to be performed. When a next-hop service is configured, the service interface is considered to be a two-legged module with one leg configured to be the inside interface (inside the network) and the other configured as the outside interface (outside the network).

To configure service sets, include the following statements at the [edit services] hierarchy level:

[edit services]
service-set service-set-name {(ids-rules rule-names | ids-rule-sets rule-set-name);(ipsec-vpn-rules rule-names | ipsec-vpn-rule-sets rule-set-name);(nat-rules rule-names | nat-rule-sets rule-set-name);(pgcp-rules rule-names | pgcp-rule-sets rule-set-name);(ptsp-rules rule-names | ptsp-rule-sets rule-set-name); (stateful-firewall-rules rule-names | stateful-firewall-rule-sets rule-set-name);allow-multicast;extension-service service-name {provider-specific rules;}interface-service {service-interface interface-name;}ipsec-vpn-options {anti-replay-window-size bits;clear-dont-fragment-bit;ike-access-profile profile-name;local-gateway address;no-anti-replay;passive-mode-tunneling;trusted-ca [ ca-profile-names ];tunnel-mtu bytes;}max-flows number;next-hop-service {inside-service-interface interface-name.unit-number;outside-service-interface interface-name.unit-number;service-interface-pool name;}syslog {host hostname {services severity-level;facility-override facility-name;log-prefix prefix-value;}}}
adaptive-services-pics {traceoptions {file filename <files number> <match regex> <size size> <(world-readable | no-world-readable)>;flag flag;}}
logging {traceoptions {file filename <files number> <match regex> <size size> <(world-readable | no-world-readable)>;flag flag;}}
 

Related Documentation

 

Published: 2013-07-30

Previous Page Next Page