ACL switches in detail
ACLs (Access Control List) on network devices can be implemented both hardware and software, or more commonly hardware and software-based ACLs. And if everything should be clear with software-based ACLs, these are the rules that are stored and processed in RAM (i.e., on Control Plane), with all the restrictions that follow from this, then we will understand how hardware-based ACLs are implemented and work. our article. As an example, we will use Extreme Networks ExtremeSwitching series switches.Since we are interested in hardware-based ACLs, the internal implementation of Data Plane, or actually used chipsets (ASIC), is of paramount importance to us. The switches of all Extreme Networks product lines are built on Broadcom's ASICs, and therefore most of the information below will also apply to other switches on the market and implemented on the same ASICs.As you can see from the figure above, the “ContentAware Engine”, separately for “ingress” and “egress”, is responsible for the ACL operation in the chipset. Architecturally, they are the same, only “egress” is less scalable, and less functional. Physically, both “ContentAware Engine” are TCAM memory plus associated logic, and each user or system ACL rule is a simple bit-mask written to this memory. That is why chipset traffic processing is carried out on a per-unit basis and without performance degradation.Physically, the same Ingress / Egress TCAM, in turn, is logically divided into several segments (depending on the amount of memory and platform), the so-called “ACL slices”. For example, the same thing happens with physically the same HDD on your laptop when you create several logical drives on it - C: \>, D: \>. Each ACL-slice, in turn, consists of memory cells, in the form of “strings” where “rules” (rules / bit-masks) are written.The breakdown of TCAM into ACL-slices has a certain logic. In each of the individual ACL-slice only compatible “rules” can be written. If any of the “rules” is not compatible with the previous one, then it will be written to the next in order ACL-slice, regardless of how many free lines under the “rules” remain in the previous one.Where does this compatibility or incompatibility of ACL rules come from? The fact is that one “line” of TCAM, where “rules” is written, has a length of 232 bit and is divided into several fields - Fixed, Field1, Field2, Field3. 232 bit or 29 byte TCAM memory is enough to write a bit-mask of a specific MAC or IP address, but much less than the full Ethernet packet header. In each individual ACL-slice ASIC produces an independent lookup according to the bit-mask set in F1-F3. In general, this lookup can be performed on the first 128 bytes Ethernet header. Actually, precisely because the search can be performed by 128 bytes, and only 29 bytes can be recorded, for a correct lookup, an offset should be set relative to the beginning of the packet. Offset for each ACL-slice is set when the first rule is written to it,and if, when recording the next rule, the need for another offset is found, then such a rule is considered incompatible with the first and is written to the next ACL-slice.The table below shows the compatibility order of the conditions specified in the ACL. Each separate line contains bit-mask that are compatible with each other, and not compatible with other lines.
Source: https://habr.com/ru/post/undefined/
All Articles