基于BCM53115实现ACL功能

1/14基于BCM53115实现ACL功能ACL，AccessControlList，访问控制列表，是路由器和交换机接口的指令列表，用来控制端口进出的数据包。这张表中包含了匹配关系、条件和查询语句，表只是一个框架结构，其目的是为了对某种访问进行控制。ACL的本质其实是一种流分类技术，它是人为定义的一些规则，目的是通过网络设备对数据流进行分类，以便执行用户规定的动作。一、BCM53115ACL介绍BCM53115的ACL由CFP（CompactFieldProcessor）模块实现。BCM53115的CFP共支持256条规则。这些规则依次保存在物理的TCAMEntry（TernaryContent-AwareMemory）中，索引号0~255。SlicenKey可以理解为逻辑上的规则，共有4个Slice：Slice0~3。其中Slice0~2可以匹配IPv4、IPv6和Non-IP包。Slice3可以和Slice0联合，形成联合Slice，用于匹配IPv6包（联合Slice可匹配的字段更多了）。芯片收到一个包后，会查找TCAM表，当发现TCAM表中某条Entry可以匹配该包时，就会执行相应的操作：限速（RateMeters）、统计（Counters）、动作（Action）。其中动作包括丢弃、转发到其他端口、替换DSCP值等。如果有多条规则匹配，则优先级最高的起作用。Slice编号越大优先级越高（当有联合Slice时，联合Slice优先级最高）。同一Slice内，索引号越小，优先级越高。CFP规则的SliceKey共232bit，分4种格式，分别对应独立Slice下的IPv4包、IPv6包、Non-IP包以及联合Slice下的IPv6包。具体格式描述下述。2/14二、BCM53115CFP相关寄存器1、CFPTCAMDataRegister0~7(PageA0h:Address10h–2Fh)和CFPTCAMMaskRegister0~7(PageA0h:Address30h–4Fh)TCAM数据和掩码寄存器。对应于上述的SliceKey。SliceKey中不一定每一个字段都要匹配，不需要匹配的字段，可将掩码寄存器的相应bit设置为0。下面的4个表格说明了4种Slice格式与TCAM数据和掩码寄存器的对应关系。Table1:SliceFormatforIPv4PacketsFieldWidth(bits)SliceBitMapTCAMData/MaskRegisterMapTCAMRegisterBitMapDescriptionSource_PortMap8231:224TCAMDataRegister7,PageA0h,Address2Ch–2Fh.TCAMMaskregister7,PageA0h,Address4Ch–4Fh.Bit[7:0]Theingressportselecttowhichtheruleapplies.Toenableakeytoaportorports,thecorrespondingportmaskbitshouldbesetto0,regardlessofthesettingstateinthekeyfield.S_Tag_Status2223:222TCAMDataRegister6,PageA0h,address28h–2Bh.TCAMMaskRegister6,PageA0h,Address48h–4BhBit[31:30]00=thepacketwasoriginallyreceivedwithoutSTag.01=thepacketwasoriginallyreceivedwithSVID=0.10=reserved.11=thepacketwasoriginallyreceivedwithSVID=not0.C_Tag_Status2221:220Bit[29:28]00=thepacketwasoriginallyreceivedwithoutCTag.01=thepacketwasoriginallyreceivedwithCVID=0.10=reserved.11=thepacketwasoriginallyreceivedwithCVID=not0.L2_Framing2219:218Bit[27:26]00=DIXv201=SNAPPublicL3_Framing2217:216Bit[25:24]00=IPv43/14IP_TOS8215:208Bit[23:16]TypeofServicefieldinIPv4headerIP_Protocol8207:200Bit[15:8]ProtocolfieldinIPv4headerIP_Fragmentation1199Bit[7]0=notfragmented1=fragmentedNon_First_Fragment1198Bit[6]Bit[6]0=notfragmentedorfirstfragment1=notfirstfragmentedIP_Authentication1197Bit[5]0=notauthenticated1=authenticatedTTL_Range2196:195Bit[4:3]00:TTL=001:TTL=110:TTL=others11:TTL=255Reserved2194:193Bit[2:1]DefaulttozeroUDF_Valid[8]1192Bit[0]IndicateswhetherUDF_n_A8isvalidUDF_Valid[7:0]8191:184TCAMDataRegister5,PageA0h,Address24h–27h.TCAMMaskRegister5,PageA0h,Address44h–47h.Bit[31:24]IndicatesifUDF_n_A[7:0]isvalidS-Tag16183:168Bit[23:8]TheSVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.C-Tag8167:160Bit[7:0]TheCVLANtagiscarriedinthepacketexplicitlyorisgeneratedimplicitlybasedontheingressportdefaultsetting.C-Tag8(LSB)159:152TCAMDataRegister4,PageA0h,Address20h–23h.TCAMMaskRegister4,PageA0h,Address40h–43h.Bit[31:24]UDF_n_A816151:136Bit[23:8]MustbevalidatedbyUDF_Valid[8]UDF_n_A78135:128Bit[7:0]MustbevalidatedbyUDF_Valid[7]UDF_n_A78(LSB)127:120TCAMDataRegister3,PageA0h,Address1Ch–1Fh.TCAMMaskRegister3,PageBit[31:24]UDF_n_A616119:104Bit[23:8]MustbevalidatedbyUDF_Valid[6]UDF_n_A58103:96Bit[7:0]Mustbevalidatedby4/14A0h,Address3Ch–3Fh.UDF_Valid[5]UDF_n_A58(LSB)95:88TCAMDataRegister2,PageA0h,Address18h–1Bh.TCAMMaskRegister2,PageA0h,Address38h–3Bh.Bit[31:24]UDF_n_A41687:72Bit[23:8]MustbevalidatedbyUDF_Valid[4]UDF_n_A3871:64Bit[7:0]MustbevalidatedbyUDF_Valid[3]UDF_n_A38(LSB)63:56TCAMDataRegister1,PageA0h,address14h–17h.TCAMMaskRegister1,PageA0h,Address34h–37h.Bit[31:24]UDF_n_A21655:40Bit[23:8]MustbevalidatedbyUDF_Valid[2]UDF_n_A1839:32Bit[7:0]MustbevalidatedbyUDF_Valid[1]UDF_n_A18(LSB)31:24TCAMDataRegister0,PageA0h,Address10h–13h.TCAMMaskRegister0,PageA0h,Address30h–33h.Bit[31:24]UDF_n_A01623:8Bit[23:8]MustbevalidatedbyUDF_Valid[0]Reserved47:4Bit[7:4]DefaultstozeroSlice_ID23:2Bit[3:2]LogicalCFPruleforsliceidentification:00=slice001=slice110=slice211=slice3Slice_Valid21:0Bit[1:0]Bitsusedtovalidatethecorrespondingsliceandmustbesetto2’b11.Table2:SliceFormatforIPv6PacketsFieldWidth(bits)SliceBitMapTCAMData/MaskRegisterMapTCAMRegisterBitMapDescriptionSource_PortMap8231:224TCAMDataRegister7,PageA0h,Address2Ch–2Fh.TCAMMaskBit[7:0]Theingressportselecttowhichtheruleapplies.Toenableakeytoaportorports,thecorrespondingport5/14register7,PageA0h,Address4Ch–4Fh.maskbitshouldbesetto0,regardlessofthesettingstateinthekeyfield.S_Tag_Status2223:222TCAMDataRegister6,PageA0h,address28h–2Bh.TCAMMaskRegister6,PageA0h,Address48h–4BhBit[31:30]00=thepacketwasoriginallyreceivedwithoutSTag.01=thepacketwasoriginallyreceivedwithSVID=0.10=reserved.11=thepacketwasoriginallyreceivedwithSVID=not0.C_Tag_Status2221:220Bit[29:28]00=thepacketwasoriginallyreceivedwithoutCTag.01=thepacketwasoriginallyreceivedwithCVID=0.10=reserved.11=thepacketwasoriginallyreceivedwithCVID=not0.L2_Framing2219:218Bit[27:26]00=DIXv201=SNAPPublicL3_Framing2217:216Bit[25:24]01=IPv6IP_TrafficClass8215:208Bit[23:16]IPv6headerTrafficClassfieldIP_NextHeader8207:200Bit[15:8]LastparsednextheaderfromtheIPv6header/extensio