Behavior of ACL in PBR on Nexus 7K Containing both L3 and L4 Information

This document describes the behavior of Policy-Based Routing (PBR) on Nexus Switches when you filter based on Layer 3 (L3) and Layer 4 (L4) information.

If you add a sequence in PBR in order to match specific L4 information, as a feature N7K creates entries for Access Control Entry (ACEs) and a fragment ACE is created automatically that matches the L3 info specified in the match sequence. In case of fragmented packets, the first packet known as initial fragment contains the L4 header and is matched correctly in the Access Control List (ACL). However, the next fragments known as non-initial fragments do not contain any L4 information and thus if the L3 portion of the ACL entry matches, the non-initial fragment is permitted. So utmost care should be taken, while filtering the traffic based on L4 information, as the non-initial fragments might be wrongly routed in the absence of L4 information.

For detailed explanation, please visit:



Categories: IPv4, Routing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s