基于BCM53115实现ACL功能.docx
- 文档编号:3684338
- 上传时间:2022-11-24
- 格式:DOCX
- 页数:24
- 大小:65.91KB
基于BCM53115实现ACL功能.docx
《基于BCM53115实现ACL功能.docx》由会员分享,可在线阅读,更多相关《基于BCM53115实现ACL功能.docx(24页珍藏版)》请在冰豆网上搜索。
基于BCM53115实现ACL功能
基于BCM53115实现ACL功能
ACL,AccessControlList,访问控制列表,是路由器和交换机接口的指令列表,用来控制端口进出的数据包。
这张表中包含了匹配关系、条件和查询语句,表只是一个框架结构,其目的是为了对某种访问进行控制。
ACL的本质其实是一种流分类技术,它是人为定义的一些规则,目的是通过网络设备对数据流进行分类,以便执行用户规定的动作。
一、BCM53115ACL介绍
BCM53115的ACL由CFP(CompactFieldProcessor)模块实现。
BCM53115的CFP共支持256条规则。
这些规则依次保存在物理的TCAMEntry(TernaryContent-AwareMemory)中,索引号0~255。
SlicenKey可以理解为逻辑上的规则,共有4个Slice:
Slice0~3。
其中Slice0~2可以匹配IPv4、IPv6和Non-IP包。
Slice3可以和Slice0联合,形成联合Slice,用于匹配IPv6包(联合Slice可匹配的字段更多了)。
芯片收到一个包后,会查找TCAM表,当发现TCAM表中某条Entry可以匹配该包时,就会执行相应的操作:
限速(RateMeters)、统计(Counters)、动作(Action)。
其中动作包括丢弃、转发到其他端口、替换DSCP值等。
如果有多条规则匹配,则优先级最高的起作用。
Slice编号越大优先级越高(当有联合Slice时,联合Slice优先级最高)。
同一Slice内,索引号越小,优先级越高。
CFP规则的SliceKey共232bit,分4种格式,分别对应独立Slice下的IPv4包、IPv6包、Non-IP包以及联合Slice下的IPv6包。
具体格式描述下述。
二、BCM53115CFP相关寄存器
1、CFPTCAMDataRegister0~7(PageA0h:
Address10h–2Fh)和CFPTCAMMaskRegister0~7(PageA0h:
Address30h–4Fh)
ØTCAM数据和掩码寄存器。
对应于上述的SliceKey。
SliceKey中不一定每一个字段都要匹配,不需要匹配的字段,可将掩码寄存器的相应bit设置为0。
Ø下面的4个表格说明了4种Slice格式与TCAM数据和掩码寄存器的对应关系。
Table1:
SliceFormatforIPv4Packets
Field
Width
(bits)
SliceBitMap
TCAMData/MaskRegisterMap
TCAMRegisterBitMap
Description
Source_PortMap
8
231:
224
TCAMDataRegister7,PageA0h,Address2Ch–2Fh.
TCAMMaskregister7,PageA0h,Address4Ch–4Fh.
Bit[7:
0]
Theingressportselecttowhichtheruleapplies.Toenableakeytoaportorports,thecorrespondingportmaskbitshouldbesetto0,regardlessofthesettingstateinthekeyfield.
S_Tag_Status
2
223:
222
TCAMDataRegister6,PageA0h,address28h–2Bh.
TCAMMaskRegister6,PageA0h,Address48h–4Bh
Bit[31:
30]
00=thepacketwasoriginallyreceivedwithoutSTag.
01=thepacketwasoriginallyreceivedwithSVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithSVID=not0.
C_Tag_Status
2
221:
220
Bit[29:
28]
00=thepacketwasoriginallyreceivedwithoutCTag.
01=thepacketwasoriginallyreceivedwithCVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithCVID=not0.
L2_Framing
2
219:
218
Bit[27:
26]
00=DIXv2
01=SNAPPublic
L3_Framing
2
217:
216
Bit[25:
24]
00=IPv4
IP_TOS
8
215:
208
Bit[23:
16]
TypeofServicefieldinIPv4header
IP_Protocol
8
207:
200
Bit[15:
8]
ProtocolfieldinIPv4header
IP_Fragmentation
1
199
Bit[7]
0=notfragmented
1=fragmented
Non_First_Fragment
1
198
Bit[6]
Bit[6]0=notfragmentedorfirstfragment
1=notfirstfragmented
IP_Authentication
1
197
Bit[5]
0=notauthenticated
1=authenticated
TTL_Range
2
196:
195
Bit[4:
3]
00:
TTL=0
01:
TTL=1
10:
TTL=others
11:
TTL=255
Reserved
2
194:
193
Bit[2:
1]
Defaulttozero
UDF_Valid[8]
1
192
Bit[0]
IndicateswhetherUDF_n_A8isvalid
UDF_Valid[7:
0]
8
191:
184
TCAMDataRegister5,PageA0h,Address24h–27h.
TCAMMaskRegister5,PageA0h,Address44h–47h.
Bit[31:
24]
IndicatesifUDF_n_A[7:
0]isvalid
S-Tag
16
183:
168
Bit[23:
8]
TheSVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.
C-Tag
8
167:
160
Bit[7:
0]
TheCVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.
C-Tag
8(LSB)
159:
152
TCAMDataRegister4,PageA0h,Address20h–23h.
TCAMMaskRegister4,PageA0h,Address40h–43h.
Bit[31:
24]
UDF_n_A8
16
151:
136
Bit[23:
8]
MustbevalidatedbyUDF_Valid[8]
UDF_n_A7
8
135:
128
Bit[7:
0]
MustbevalidatedbyUDF_Valid[7]
UDF_n_A7
8(LSB)
127:
120
TCAMDataRegister3,PageA0h,Address1Ch–1Fh.
TCAMMaskRegister3,PageA0h,Address3Ch–3Fh.
Bit[31:
24]
UDF_n_A6
16
119:
104
Bit[23:
8]
MustbevalidatedbyUDF_Valid[6]
UDF_n_A5
8
103:
96
Bit[7:
0]
MustbevalidatedbyUDF_Valid[5]
UDF_n_A5
8(LSB)
95:
88
TCAMDataRegister2,PageA0h,Address18h–1Bh.
TCAMMaskRegister2,PageA0h,Address38h–3Bh.
Bit[31:
24]
UDF_n_A4
16
87:
72
Bit[23:
8]
MustbevalidatedbyUDF_Valid[4]
UDF_n_A3
8
71:
64
Bit[7:
0]
MustbevalidatedbyUDF_Valid[3]
UDF_n_A3
8(LSB)
63:
56
TCAMDataRegister1,PageA0h,address14h–17h.
TCAMMaskRegister1,PageA0h,Address34h–37h.
Bit[31:
24]
UDF_n_A2
16
55:
40
Bit[23:
8]
MustbevalidatedbyUDF_Valid[2]
UDF_n_A1
8
39:
32
Bit[7:
0]
MustbevalidatedbyUDF_Valid[1]
UDF_n_A1
8(LSB)
31:
24
TCAMDataRegister0,PageA0h,Address10h–13h.
TCAMMaskRegister0,PageA0h,Address30h–33h.
Bit[31:
24]
UDF_n_A0
16
23:
8
Bit[23:
8]
MustbevalidatedbyUDF_Valid[0]
Reserved
4
7:
4
Bit[7:
4]
Defaultstozero
Slice_ID
2
3:
2
Bit[3:
2]
LogicalCFPruleforsliceidentification:
00=slice0
01=slice1
10=slice2
11=slice3
Slice_Valid
2
1:
0
Bit[1:
0]
Bitsusedtovalidatethecorresponding
sliceandmustbesetto2’b11.
Table2:
SliceFormatforIPv6Packets
Field
Width
(bits)
SliceBitMap
TCAMData/MaskRegisterMap
TCAMRegisterBitMap
Description
Source_PortMap
8
231:
224
TCAMDataRegister7,PageA0h,Address2Ch–2Fh.
TCAMMaskregister7,PageA0h,Address4Ch–4Fh.
Bit[7:
0]
Theingressportselecttowhichtheruleapplies.Toenableakeytoaportorports,thecorrespondingportmaskbitshouldbesetto0,regardlessofthesettingstateinthekeyfield.
S_Tag_Status
2
223:
222
TCAMDataRegister6,PageA0h,address28h–2Bh.
TCAMMaskRegister6,PageA0h,Address48h–4Bh
Bit[31:
30]
00=thepacketwasoriginallyreceivedwithoutSTag.
01=thepacketwasoriginallyreceivedwithSVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithSVID=not0.
C_Tag_Status
2
221:
220
Bit[29:
28]
00=thepacketwasoriginallyreceivedwithoutCTag.
01=thepacketwasoriginallyreceivedwithCVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithCVID=not0.
L2_Framing
2
219:
218
Bit[27:
26]
00=DIXv2
01=SNAPPublic
L3_Framing
2
217:
216
Bit[25:
24]
01=IPv6
IP_TrafficClass
8
215:
208
Bit[23:
16]
IPv6headerTrafficClassfield
IP_NextHeader
8
207:
200
Bit[15:
8]
LastparsednextheaderfromtheIPv6header/extensionheaderchain.
IP_Fragmentation
1
199
Bit[7]
0=notfragmented
1=fragmented
Non_First_Fragment
1
198
Bit[6]
Bit[6]0=notfragmentedorfirstfragment
1=notfirstfragmented
IP_Authentication
1
197
Bit[5]
0=notauthenticated
1=authenticated
HopLimitRange
2
196:
195
Bit[4:
3]
00:
HopLimit=0
01:
HopLimitTTL=1
10:
HopLimit=others
11:
HopLimit=255
Reserved
2
194:
193
Bit[2:
1]
Defaulttozero
UDF_Valid[8]
1
192
Bit[0]
IndicateswhetherUDF_n_B8isvalid
UDF_Valid[7:
0]
8
191:
184
TCAMDataRegister5,PageA0h,Address24h–27h.
TCAMMaskRegister5,PageA0h,Address44h–47h.
Bit[31:
24]
IndicatesifUDF_n_B[7:
0]isvalid
S-Tag
16
183:
168
Bit[23:
8]
TheSVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.
C-Tag
8
167:
160
Bit[7:
0]
TheCVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.
C-Tag
8(LSB)
159:
152
TCAMDataRegister4,PageA0h,Address20h–23h.
TCAMMaskRegister4,PageA0h,Address40h–43h.
Bit[31:
24]
UDF_n_B8
16
151:
136
Bit[23:
8]
MustbevalidatedbyUDF_Valid[8]
UDF_n_B7
8
135:
128
Bit[7:
0]
MustbevalidatedbyUDF_Valid[7]
UDF_n_B7
8(LSB)
127:
120
TCAMDataRegister3,PageA0h,Address1Ch–1Fh.
TCAMMaskRegister3,PageA0h,Address3Ch–3Fh.
Bit[31:
24]
UDF_n_B6
16
119:
104
Bit[23:
8]
MustbevalidatedbyUDF_Valid[6]
UDF_n_B5
8
103:
96
Bit[7:
0]
MustbevalidatedbyUDF_Valid[5]
UDF_n_B5
8(LSB)
95:
88
TCAMDataRegister2,PageA0h,Address18h–1Bh.
TCAMMaskRegister2,PageA0h,Address38h–3Bh.
Bit[31:
24]
UDF_n_B4
16
87:
72
Bit[23:
8]
MustbevalidatedbyUDF_Valid[4]
UDF_n_B3
8
71:
64
Bit[7:
0]
MustbevalidatedbyUDF_Valid[3]
UDF_n_B3
8(LSB)
63:
56
TCAMDataRegister1,PageA0h,address14h–17h.
TCAMMaskRegister1,PageA0h,Address34h–37h.
Bit[31:
24]
UDF_n_B2
16
55:
40
Bit[23:
8]
MustbevalidatedbyUDF_Valid[2]
UDF_n_B1
8
39:
32
Bit[7:
0]
MustbevalidatedbyUDF_Valid[1]
UDF_n_B1
8(LSB)
31:
24
TCAMDataRegister0,PageA0h,Address10h–13h.
TCAMMaskRegister0,PageA0h,Address30h–33h.
Bit[31:
24]
UDF_n_B0
16
23:
8
Bit[23:
8]
MustbevalidatedbyUDF_Valid[0]
Reserved
4
7:
4
Bit[7:
4]
Defaultstozero
Slice_ID
2
3:
2
Bit[3:
2]
LogicalCFPruleforsliceidentification:
00=slice0
01=slice1
10=slice2
11=slice3
Slice_Valid
2
1:
0
Bit[1:
0]
Bitsusedtovalidatethecorresponding
sliceandmustbesetto2’b11.
Table3:
SliceFormatforNon-IPPackets
Field
Width
(bits)
SliceBitMap
TCAMData/MaskRegisterMap
TCAMRegisterBitMap
Description
Source_PortMap
8
231:
224
TCAMDataRegister7,PageA0h,Address2Ch–2Fh.
TCAMMaskregister7,PageA0h,Address4Ch–4Fh.
Bit[7:
0]
Theingressportselecttowhichtheruleapplies.Toenableakeytoaportorports,thecorrespondingportmaskbitshouldbesetto0,regardlessofthesettingstateinthekeyfield.
S_Tag_Status
2
223:
222
TCAMDataRegister6,PageA0h,address28h–2Bh.
TCAMMaskRegister6,PageA0h,Address48h–4Bh
Bit[31:
30]
00=thepacketwasoriginallyreceivedwithoutSTag.
01=thepacketwasoriginallyreceivedwithSVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithSVID=not0.
C_Tag_Status
2
221:
220
Bit[29:
28]
00=thepacketwasoriginallyreceivedwithoutCTag.
01=thepacketwasoriginallyreceivedwithCVID=0.
10=reserved.
11=thepacketwasoriginallyreceivedwithCVID=not0.
L2_Framing
2
219:
218
Bit[27:
26]
00=DIXv2
01=SNAPPublic
10=LLC
11=SNAPPrivate
L3_Framing
2
217:
216
Bit[25:
24]
11=NonIP
EtherType/SAP
16
215:
200
Bit[23:
8]
Ethertypew
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 基于 BCM53115 实现 ACL 功能