ACL-Based Forwarding Configuration¶
Configuring ACL-Based Forwarding (ABF) happens in three stages:
Define a Standard Access List (ACL) to match packets
Packets matching a
permitrule in this ACL are forwarded using the ABF policy. Packets matching a
denyrule are excluded from ABF handling.
Define ABF policies which reference standard ACLs
Attach ABF policies to an interface where the traffic will ingress
For a complete example, see ACL-Based Forwarding Example.
This section covers the parts of the process specific to ABF.
ABF Policy Configuration¶
config mode, the
route acl-based-forwarding policy <id>
command defines a new ABF policy with the given ID and enters
config-abf-policy mode where the properties of the policy are set.
The properties of an ABF policy work in a similar manner to the properties of the same type directly on routes. See Managing Routes for details.
config-abf-policy mode the following commands are available:
- acl <acl-name>
Defines the Standard Access List (ACL) to match for this ABF policy.
- (ipv4-next-hop|ipv6-next-hop) <hop-id>
Defines the next hop of the address family type with the given ID and enters
config-abf-policy-ipv6-nhmode depending on the given command form.
When defining a next hop in
config-abf-policy-ipv6-nh mode the following commands are available:
Drops traffic matching this policy (null route).
- interface <if-name>
The interface through which TNSR can reach the next hop address.
- (ipv4-address|ipv6-address) <addr>
The IP address of the next hop to which TNSR will route packets patching this policy. The only available form of this command is the one which matches the address family given when creating the next hop entry.
When set, the packets will be sent to the interface as though the destination is directly attached.
Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination administratively prohibited” message back to the source address.
Packets matching this policy will be dropped by TNSR, and TNSR will send an ICMP “Destination unreachable” message back to the source address.
- weight <uint8>
The weight of routes to the same destination. Acts as a ratio of packets to deliver to each next hop. Value must be from
ABF Policy Interface Attachment¶
For an ABF policy to have any effect, it must be attached to an interface where traffic enters TNSR (ingress).
config mode, the
route acl-based-forwarding interface
<if-name> command enters
config-abf-interface where ABF policies can be
attached to the given interface.
config-abf-interface mode, the
policy <policy-id> (ipv4|ipv6)
priority <uint32> command attaches an ABF policy to this interface at a set
The parameters to the
policy command are:
References the ABF policy used to process packets entering this interface
Defines whether this ABF policy should be processed for IPv4 or IPv6 traffic.
- priority <uint32>
Sets a priority for this ABF policy. If there are multiple ABF policies attached to an interface TNSR will process them in order of priority.
policy command can be repeated to define multiple policies for an