Efficient Ethernet Switch Port Access Control List Implementation using Separate Rule Groups and Profiles
Publication Date: 2013-Jul-16
The IP.com Prior Art Database
Disclosed is an efficient ethernet switch port access control list implementation using separate rule groups and profiles.
Page 01 of 4
Ȉ ˇ ˄Ȉ ˙ Ȉ ˝
Ingress ethernet frame classification and the application of policy to that frame to determine subsequent actions is a well established process for switches. Methods to do this include state machines, hash methods, and the use of content addressable memory (CAMs). The advent of port virtualization [*] to applications above a switch port drives significantly higher requirements on that switch port to be able to apply many different policies or access control lists (ACLs) representing each of the different virtual ports. The use of ternary content addressable memory (TCAMs) employing a key comprised of elements of the frame header to search a set of rules for a match that subsequently dictates one or more actions is common practice today. TCAMs, however, are relatively large (compared to other ASIC memory elements), consume a significant amount of power, and can require complex logic to resolve the results of their output. Thus, an efficient mechanism is needed to use the speed of a TCAM search for ACLs while:
maintaining a high degree of flexibility for varying key sizes depending on the complexity of
the search fields,
keeping the TCAM footprint as small as possible,
providing the largest number of rules within given silicon space constraints.
This disclosure moves away from a large unified TCAM and partitions rules into three different groups; System rules, Layer 2 rules, and Layer 3 rules. Each rule group has a different width for the key, optimizing TCAM width, and thus overall space to the needs of each group. It uses small TCAM building blocks that can be reconfigured based on a Profile selection. The different Profiles provide varying numbers of rules in each rule group. Thus, an overall smaller amount of TCAM memory is required than a TCAM solution built to accommodate the largest key width. The Profile concept also provides the flexibility to significantly alter the width and number of rules per group to better match a broad spectrum of applications.
Figure 1 below illustrates the ACL structure and process. Fields from an ingress frame are parsed and a key formed that is fed into each of the rule groups on the left. The TCAM lookup occurs, if there is a match, the action array is accessed, and action(s) read. The set of potential actions is then compared and resolved, resulting in one action set that drives the policy fo...