Introduces Virtual Fragmentation Reassembly, describing how it collects and reassembles IP fragments lacking Layer 4 information, supports dynamic ACL analysis for security, enables features like firewall and NAT inspection, and outlines default and reassembly modes for packet processing and interoperability.
A Virtual Fragmentation Reassembly (VFR) is a Cisco feature that
-
allows a router to collect IP fragments even if they lack necessary Layer 4 information,
-
performs dynamic access control list (ACL) analysis for security, and
-
enables security features such as Cisco IOS Firewall and NAT to inspect traffic.
While transmitting data across a network, due to various network constraints, the original data packets fragment into smaller fragments to facilitate seamless transmission. While the packets travel through the Cisco IOS XE Catalyst SD-WAN device, they are fragmented. VFR allows fragmented packets to be reassembled efficiently before reaching their destination.
Packet reassembly modes
In Cisco Catalyst SD-WAN network, data packets undergo reassembly in two modes:
-
Default mode: Packets are virtually reassembled by default. Upon the delivery of the first fragment, each feature in the network receives the entire payload of the virtually reassembled packet. When the last fragment is received, the remaining features reassemble the packet. The original packet is fragmented, and the internal fragment information structure is shared. The fragments are then queued for refragmentation based on the fragment-offset sequence. The VFR mechanism reconstructs the packets using information from the fragment headers, such as fragment identifiers, sequence numbers, and offsets.
-
Reassembly mode: Packets undergo physical reassembly, and fragment header information isn't saved. Upon receiving the last fragment, the fragments reassemble via a metapacket, and the internal fragment information structure is released.
If the packets were originally fragmented using the default mode, they undergo reassembly as if they were the original incoming packets. On the other hand, when the reassembly mode is utilized to virtually fragment the packets, they experience fragmentation based on the MTU of the egress interface before reassembly.
Some features (such as NAT, Cisco IOS XE Firewall, IPSec) automatically enable VFR to obtain Layer 4 or Layer 7 information.
When a particular interface enables VFR, it overrides the existing firewall or NAT's VFR mode configuration by default, ensuring interoperability with the firewall or NAT.