Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

Mikael Abrahamsson swmike at swm.pp.se
Fri Sep 30 01:13:37 CDT 2011


On Fri, 30 Sep 2011, Christopher Morrow wrote:

> If you do nothing the default behavior is to send the packet to the 
> RP... why? (why would you want this packet sent to the RP? it's got a 
> valid destination, no? so deliver it out the egress interface?)

I was told it's because PFC3B can't look into the packet far enough to 
determine what the payload is (TCP/UDP etc) and port, that's only the RP 
that can do ACL handling of the packet.

So if you configure "forward", people can put a fragmentation header on 
the packet and skip past your ACL.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se



More information about the NANOG mailing list