ACL-Based Forwarding Configuration¶
Configuring ACL-Based Forwarding (ABF) happens in three stages:
Define a Standard Access List (ACL) to match packets
Packets matching a
permit
rule in this ACL are forwarded using the ABF policy. Packets matching adeny
rule are excluded from ABF handling.Define ABF policies which reference standard ACLs
Attach ABF policies to an interface where the traffic will ingress
See also
For a complete example, see ACL-Based Forwarding Example.
This section covers the parts of the process specific to ABF.
ABF Policy Configuration¶
Starting from config
mode, the route acl-based-forwarding policy <id>
command defines a new ABF policy with the given ID and enters
config-abf-policy
mode where the properties of the policy are set.
See also
The properties of an ABF policy work in a similar manner to the properties of the same type directly on routes. See Managing Routes for details.
From within config-abf-policy
mode the following commands are available:
- acl <acl-name>:
Defines the Standard Access List (ACL) to match for this ABF policy.
- (ipv4-next-hop|ipv6-next-hop) <hop-id>:
Defines the next hop of the address family type with the given ID and enters
config-abf-policy-ipv4-nh
orconfig-abf-policy-ipv6-nh
mode depending on the given command form.
When defining a next hop in config-abf-policy-ipv4-nh
or
config-abf-policy-ipv6-nh
mode the following commands are available:
- drop:
Drops traffic matching this policy (null route).
- interface <if-name>:
The interface through which TNSR can reach the next hop address.
- (ipv4-address|ipv6-address) <addr>:
The IP address of the next hop to which TNSR will route packets patching this policy. The only available form of this command is the one which matches the address family given when creating the next hop entry.
- local:
When set, the packets will be sent to the interface as though the destination is directly attached.
- prohibited:
Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination administratively prohibited” message back to the source address.
- unreachable:
Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination unreachable” message back to the source address.
- weight <uint8>:
The weight of routes to the same destination. Acts as a ratio of packets to deliver to each next hop. Value must be from
1
to255
.
ABF Policy Interface Attachment¶
For an ABF policy to have any effect, it must be attached to an interface where traffic enters TNSR (ingress).
Starting from config
mode, the route acl-based-forwarding interface
<if-name>
command enters config-abf-interface
where ABF policies can be
attached to the given interface.
From within config-abf-interface
mode, the policy <policy-id> (ipv4|ipv6)
priority <uint32>
command attaches an ABF policy to this interface at a set
priority.
The parameters to the policy
command are:
- <policy-id>:
References the ABF policy used to process packets entering this interface
- (ipv4|ipv6):
Defines whether this ABF policy should be processed for IPv4 or IPv6 traffic.
- priority <uint32>:
Sets a priority for this ABF policy. If there are multiple ABF policies attached to an interface TNSR will process them in order of priority.
The policy
command can be repeated to define multiple policies for an
interface.