Forwarding Based on Next-Hop Addresses for Input IPv4 and IPv6 Policies

You can define policies for incoming IPv4 and IPv6 traffic and apply the policy lists to the ingress of an interface to enable packet forwarding and routing operations to be performed based on the configured rules and actions. The forward rules that you define in classifier groups contained in a policy list define the forwarding mechanism for IPv4 and IPv6 packets that match the specified classifier access list (CLACL). You can use the forward interface command to specify multiple IPv4 interfaces for IPv4 policy lists and the forward next-hop command to specify next-hop addresses as possible forwarding solutions for IPv4 and IPv6 policy lists.

The next-hop and next-interface actions override the routing table lookup. In an environment in which Gigabit Ethernet uplink modules are connected to broadcast networks, you can use the next-hop actions for routing and forwarding of traffic. For IPv6 traffic, you cannot configure a forward rule to transmit packets that match a specific CLACL to a specific interface or multiple interfaces. However, you can configure a rule to forward packets that match a CLACL to multiple interfaces for IPv4 traffic.

You can specify multiple next-hop addresses or actions in a single forwarding policy rule. In such a case, packets are forwarded to the first available next-hop address that contains a route in the routing table. You can use the order keyword with the forward next-hop command in Classifier Group Configuration mode to specify the order of the group of forwarding solutions within a single forward rule.

To enable a forwarding solution to function by overriding the routing table lookup, you can configure policies with one or multiple next-hop addresses. Dynamic selection of the next-hop address is available. If a next-hop with the lowest order becomes reachable or is added freshly to a forward rule, the currently processed element is disregarded and the new next-hop entry is considered. If multiple next-hop addresses specified in the policy list have the same order, the selection is done based on the reachability and the first configured entry. You can specify a maximum of 20 forwarding solutions for a classifier. This limit encompasses the forward next-hop and the next-interface actions.

You can configure multiple next-hop elements in a forward rule for only the same virtual router. You cannot configure multiple forward next-hop rules in a policy that spans across different VRs. If only next-hop elements exist and you do not use the virtual-router option with the forward next-hop command, then the policy assumes the virtual router context of the CLI, making the policy specific to that VR. The policy can be attached only to interfaces that belong to that VR. You can use the virtual-router keyword with the forward next-hop command to specify a VR other than the default VR to enable the configuration of next-hop elements for that VR.

When a next-hop address is reachable, only if it has an entry in the routing table, this next-hop can be a default route in certain scenarios. In such cases, you can include the ignore-default-route keyword with the forward next- hop command to cause the default route to be not considered for the next-hop determination.

If next-hop selection changes dynamically, because of changes in the order of the action or changes in the reachability state of the next-hop, the statistics associated with the next-hop action are preserved, if collection of statistical details is enabled in the policy list. The statistical information is used per classifier rule that has a list of multiple next-hop actions.

Keep the following guidelines in mind while configuring forwarding rules based on next-hop addresses for input IPv6 policies:

• You can configure the rule to forward all packets that match a CLACL to a particular next-hop address only for input IPv6 policies on routers with ES2 4G LMs, ES2 10G LMs, and ES2 10G Uplink LMs (policies applied to ingress interfaces) or IPv6 policies on ES2 4G LMs, ES2 10G LMs, and ES2 10G Uplink LMs that function as access line modules (line modules with policies that receive traffic from low-speed circuits and route it to uplink modules).
• You cannot configure next-hop addresses as forwarding rules for IPv6 policies when the ES2 4G LMs, ES2 10G LMs, and ES2 10G Uplink LMs are core-facing, uplink modules. However, when the ES2 4G LMS, ES2 10G LMs, and ES2 10G Uplink LMs operate as access modules for forwarding rules for IPv6 policies, you can configure the core-facing modules as ES2 4G LMs, ES2 10G LMs, ES2 10G Uplink LMs, or ES2 10G ADV LMs.
• The performance of the policy manager application might be slightly impacted if you configure a significant number of IPv6 policies with forward rules and the reachability states of the configured next-hop addresses transition frequently.
• Forwarding of traffic based on next-hop addresses in input IPv6 policy lists is available only for ingress IPv6 interfaces that are configured over Ethernet or MPLS interfaces.
• You cannot configure forward rules based on next-hop addresses in policy lists for IPv6 interfaces over GRE tunnels.
• You can configure only indirect next-hop addresses while configuring forwarding rules based on next-hop addresses for input IPv6 policies.
• You cannot configure link-local, loopback, or multicast addresses for forwarding of traffic based on next-hop addresses in a classifier group in an IPv6 policy list. If you attempt to configure these types of addresses as next-hop addresses for forwarding of traffic using the forward next-hop command for IPv6 policy lists, an error message is displayed.