[j-nsp] Juniper Services Question ?
Alex Arseniev
alex.arseniev at gmail.com
Fri Oct 26 13:05:25 EDT 2012
The service-filter directs matching packets to a particular service-set.
So in a sense, service-filter is executed first because match happens on
ingress interface, and service-set execution happens inside AS|MS-PIC|DPC
when matching packets have entered the ingress interface+crossed the
forwarding plane.
HTH
Rgds
Alex
----- Original Message -----
From: "Vasanth R S" <rsvasantheee at gmail.com>
To: <juniper-nsp at puck.nether.net>
Sent: Friday, October 26, 2012 12:22 PM
Subject: [j-nsp] Juniper Services Question ?
> If you have service-set and service-filter, which one will get serviced
> first ?
>
> set interfaces ge-1/0/0 unit 1 family inet service input service-set
> ss-nat
> service-filter nat-exclude-input
> set interfaces ge-1/1/0 unit 2 family inet service input service-set
> ss-nat
> service-filter nat-exclude-input
>
> set firewall family inet service-filter nat-exclude-input term rfc1918
> from
> destination-address 10.0.0.0/8
> set firewall family inet service-filter nat-exclude-input term rfc1918
> from
> destination-address 172.16.0.0/12
> set firewall family inet service-filter nat-exclude-input term rfc1918
> from
> destination-address 192.168.0.0/16
> set firewall family inet service-filter nat-exclude-input term rfc1918
> then
> skip
> set firewall family inet service-filter nat-exclude-input term public from
> destination-prefix-list -public-nat-exclude
> set firewall family inet service-filter nat-exclude-input term public then
> skip
> set firewall family inet service-filter nat-exclude-input term default
> then
> service
>
>
> --
> Regards,
> Vasanth R S
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list