ACL (Access Control List) on network devices can be implemented both in hardware and software, or more commonly speaking hardware and software-based ACLs. And if everything should be clear with software-based ACLs - these are rules that are stored and processed in RAM (i.e., on the Control Plane), with all the ensuing restrictions, then we will understand how hardware-based ACLs are implemented and work in our article. As an example, we will use the ExtremeSwitching series switches from Extreme Networks.
Since it is the hardware-based ACL that interests us, it is the internal implementation of the Data Plane, or the actually used chipsets (ASICs), that is of paramount importance for us. All Extreme Networks switches are based on Broadcom ASICs, and therefore most of the information below will also apply to other switches on the market that are based on the same ASICs.
As you can see from the figure above, the “ContentAware Engine” is directly responsible for the work of ACL in the chipset, separately for “ingress” and “egress”. They are architecturally the same, only “egress” is less scalable and less functional. Physically, both “ContentAware Engine” is TCAM memory plus related logic, and each user or system ACL rule is a simple bit-mask written to this memory. That is why the processing of traffic by the chipset is carried out packet by packet and without degradation of performance.
Physically, the same Ingress / Egress TCAM, in turn, is logically divided into several segments (depending on the amount of memory itself and the platform), the so-called “ACL slices”. For example, the same thing happens with physically the same HDD on your laptop when you create several logical drives on it - C:>, D:>. Each ACL-slice, in turn, consists of memory cells, in the form of “lines” where “rules” (rules / bit masks) are written.
The breakdown of TCAM into ACL-slices has a certain logic behind it. In each of the individual ACL-slices, only “rules” that are compatible with each other can be written. If any of the “rules” is not compatible with the previous one, then it will be written to the next ACL-slice in order, regardless of how many free lines under “rules” are left in the previous one.
Where, then, does this compatibility or incompatibility of ACL rules come from? The fact is that one “line” of TCAM, where “rules” is written, has a length of 232 bits and is divided into several fields - Fixed, Field1, Field2, Field3. 232 bit or 29 byte TCAM memory is enough to write the bit-mask of a specific MAC or IP address, but much less than the full header of an Ethernet packet. In each separate ACL-slice, the ASIC performs an independent lookup according to the bit-masks set in F1-F3. In general, this lookup can be performed on the first 128 bytes of the Ethernet header. Actually, precisely because the search can be performed over 128 bytes, and only 29 bytes can be written, for a correct lookup, an offset (offset) relative to the beginning of the packet must be set. The offset for each of the ACL-slice is set when the first rule is written to it, and if, when writing the subsequent rule, it is found that a different offset is needed, then such a rule is considered incompatible with the first one and is written to the next ACL-slice.
The table below shows the order of compatibility of the conditions prescribed in the ACL. Each separate line contains bit-masks that are compatible with each other and not compatible with other lines.
Each individual packet processed by the ASIC triggers a parallel lookup in each ACL-slice. The check is made before the first match in an ACL-slice, but multiple matches are allowed for the same packet in different ACL-slices. Each individual “rule” has a corresponding action to be taken if the condition (bit-mask) matches. If a match occurred in several ACL-slices at once, then in the “Action Conflict Resolution” block, based on the priority of the ACL-slice, a decision is made which action to perform. If both “action” (permit/deny) and “action-modifier” (count/QoS/log/…) are specified in the ACL, then only the higher-priority “action” will be executed in case of multiple matches, while “action-modifier” will all are done. The example below shows that both counters will be incremented and the higher priority "deny" will be executed.
with more detailed information about the work of ACL in the public domain on the website . If you have any questions or have any questions, you can always ask the staff of our office - .
Source: habr.com