Patent attributes
One embodiment of the present invention provides a switch. The switch includes a storage device, a rule management module, an inner packet module, and a packet processor. During operation, the rule management module obtains a rule associated with a data flow within tunnel encapsulation of a tunnel. This rule indicates how the flow is to be processed at the switch. The rule management module then applies an initial rule to a respective line card of the switch. The initial rule is derived from a virtual network identifier, which is associated with the tunnel, of the obtained rule. The inner packet module determines that a first inner packet, which is encapsulated with a first encapsulation header, belongs to the flow without decapsulating the first encapsulation header. The rule management module applies the obtained rule to a line card associated with an ingress port of the encapsulated first inner packet.
