ACL-Based Forwarding Configuration

Configuring ACL-Based Forwarding (ABF) happens in three stages:

  • Define a Standard Access List (ACL) to match packets

    Packets matching a permit rule in this ACL are forwarded using the ABF policy. Packets matching a deny rule are excluded from ABF handling.

  • Define ABF policies which reference standard ACLs

  • Attach ABF policies to an interface where the traffic will ingress

See also

For a complete example, see ACL-Based Forwarding Example.

This section covers the parts of the process specific to ABF.

ABF Policy Configuration

Starting from config mode, the route acl-based-forwarding policy <id> command defines a new ABF policy with the given ID and enters config-abf-policy mode where the properties of the policy are set.

See also

The properties of an ABF policy work in a similar manner to the properties of the same type directly on routes. See Managing Routes for details.

From within config-abf-policy mode the following commands are available:

acl <acl-name>:

Defines the Standard Access List (ACL) to match for this ABF policy.

(ipv4-next-hop|ipv6-next-hop) <hop-id>:

Defines the next hop of the address family type with the given ID and enters config-abf-policy-ipv4-nh or config-abf-policy-ipv6-nh mode depending on the given command form.

When defining a next hop in config-abf-policy-ipv4-nh or config-abf-policy-ipv6-nh mode the following commands are available:

drop:

Drops traffic matching this policy (null route).

interface <if-name>:

The interface through which TNSR can reach the next hop address.

(ipv4-address|ipv6-address) <addr>:

The IP address of the next hop to which TNSR will route packets patching this policy. The only available form of this command is the one which matches the address family given when creating the next hop entry.

local:

When set, the packets will be sent to the interface as though the destination is directly attached.

prohibited:

Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination administratively prohibited” message back to the source address.

unreachable:

Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination unreachable” message back to the source address.

weight <uint8>:

The weight of routes to the same destination. Acts as a ratio of packets to deliver to each next hop. Value must be from 1 to 255.

ABF Policy Interface Attachment

For an ABF policy to have any effect, it must be attached to an interface where traffic enters TNSR (ingress).

Starting from config mode, the route acl-based-forwarding interface <if-name> command enters config-abf-interface where ABF policies can be attached to the given interface.

From within config-abf-interface mode, the policy <policy-id> (ipv4|ipv6) priority <uint32> command attaches an ABF policy to this interface at a set priority.

The parameters to the policy command are:

<policy-id>:

References the ABF policy used to process packets entering this interface

(ipv4|ipv6):

Defines whether this ABF policy should be processed for IPv4 or IPv6 traffic.

priority <uint32>:

Sets a priority for this ABF policy. If there are multiple ABF policies attached to an interface TNSR will process them in order of priority.

The policy command can be repeated to define multiple policies for an interface.