Ii-ACLs (Uluhlu loLawulo lokuFikelela) kwizixhobo zothungelwano zinokuphunyezwa zombini kwihardware kunye nesoftware, okanye ngokuqhelekileyo ukuthetha, ihardware kunye nesoftware-based ACLs. Kwaye ukuba yonke into ifanele icace nge-software-based ACLs - le yimithetho egcinwe kwaye iqhutywe kwi-RAM (okt kwi-Control Plane), kunye nazo zonke izithintelo ezilandelayo, ngoko siya kuqonda ukuba i-hardware-based ACLs iphunyezwe kwaye isebenze inqaku. Njengomzekelo, siya kusebenzisa utshintsho olusuka kwi-ExtremeSwitching series ukusuka kwi-Extreme Networks.
Ekubeni sinomdla kwii-ACL ezisekelwe kwi-hardware, ukuphunyezwa kwangaphakathi kweDatha yeDatha, okanye ii-chipsets zangempela (ASICs) ezisetyenzisiweyo, kubaluleke kakhulu kuthi. Yonke imizila yokutshintsha i-Extreme Networks yakhiwe kwi-Broadcom ASICs, kwaye ngoko ke uninzi lolwazi olungezantsi luya kuba yinyaniso nakwezinye izitshintshi kwiimarike eziphunyezwa kwii-ASIC ezifanayo.
Njengoko kunokubonwa kumzobo ongentla, "i-ContentAware Engine" ijongene ngqo nokusebenza kwe-ACLs kwi-chipset, ngokwahlukileyo "i-ingress" kunye ne "egress". I-Architecturally, ziyafana, kuphela "i-egress" iyancipha kwaye ingasebenzi. Ngokomzimba, zombini "Iinjini ze-ContentAware" ziyimemori ye-TCAM kunye nengqiqo ehambayo, kwaye umsebenzisi ngamnye okanye inkqubo ye-ACL umgaqo yimaski elula ebhaliweyo kule memori. Kungenxa yoko le nto i-chipset iqhuba ipakethi yetrafikhi ngepakethi kwaye ngaphandle kokuthotywa kokusebenza.
Ngokomzimba, i-Ingress / Egress ye-TCAM efanayo, ngokuphindaphindiweyo, ihlukaniswe ngokwengqiqo ibe ngamacandelo amaninzi (kuxhomekeke kwinani lememori ngokwayo kunye neqonga), okubizwa ngokuba yi "ACL slices". Umzekelo, kwenzeka into efanayo nge-HDD efanayo kwilaptop yakho xa udala iidrive ezininzi ezinengqondo kuyo - C:>, D:>. I-ACL-isilayi ngasinye, ngokulandelayo, iqulethe iiseli zememori ngendlela "yemitya" apho "imithetho" (imithetho / imaski ye-bit) ibhaliwe.
Ulwahlulo lwe-TCAM kwii-ACL-zilayi lunengqiqo ethile emva kwayo. Kwi-ACL nganye-izilayi, kuphela "imithetho" ehambelana nomnye ingabhalwa. Ukuba nayiphi na "imithetho" ayihambelani nale yangaphambili, ngoko iya kubhalwa kwi-ACL-isilayi esilandelayo, kungakhathaliseki ukuba zingaphi imigca ekhululekileyo ye "imithetho" eshiywe ngaphambili.
Apho ke oku kuhambelana okanye ukungahambelani kwemithetho ye-ACL ivela phi? Inyani kukuba enye ye-TCAM "umgca", apho "imithetho" ibhaliwe, inobude beebhithi ze-232 kwaye ihlukaniswe kwiinkalo ezininzi - Fixed, Field1, Field2, Field3. I-232 bit okanye i-29 byte yememori ye-TCAM yanele ukurekhoda i-bit-mask ye-MAC ethile okanye idilesi ye-IP, kodwa ngaphantsi kwe-header ye-packet ye-Ethernet epheleleyo. Kwisiqwenga ngasinye se-ACL, i-ASIC yenza ukukhangela okuzimeleyo ngokwe-bit-mask iseti kwi-F1-F3. Ngokubanzi, oku kujongwa kunokwenziwa kusetyenziswa i-128 bytes yokuqala ye-Ethernet header. Ngokwenyani, kanye ngenxa yokuba uphendlo lunokwenziwa ngaphezulu kwe-128 bytes, kodwa zii-byte ezingama-29 kuphela ezinokubhalwa, ukuze kujongwe ngokuchanekileyo i-offset kufuneka imiselwe xa kuthelekiswa nasekuqaleni kwepakethi. I-offset nganye ACL-isilayi ibekwe xa umthetho wokuqala ubhalelwe kuyo, kwaye ukuba, xa ubhala umgaqo olandelayo, imfuneko enye offset kufunyanwa, ngoko umgaqo onjalo uthathwa ayihambelani neyokuqala kwaye ibhalwe ukuba elandelayo ACL-isiqwenga.
Itheyibhile engezantsi ibonisa ukulandelelana kokuhambelana kweemeko ezichazwe kwi-ACL. Umgca ngamnye uqulethe ii-bit-masks ezenziweyo ezihambelanayo kunye nezingahambelani neminye imigca.
Ipakethe nganye eqhutywe yi-ASIC iqhuba ukukhangela okufanayo kwi-ACL-slice nganye. Itshekhi lwenziwa de umdlalo wokuqala kwi ACL-isilayi, kodwa iimatshisi ezininzi bavumelekile ukuba ipakethi efanayo ezahlukeneyo ACL-izilayi. Umntu ngamnye "umgaqo" unesenzo esihambelanayo ekufuneka senziwe ukuba imeko (bit-mask) ihambelana. Ukuba umdlalo kwenzeka eziliqela ACL-izilayi ngaxeshanye, ngoko kwi "Action Conflict Resolution" ibhloko, esekelwe kwi-priority ye-ACL-isilayi, isigqibo senziwe liphi inyathelo ukwenza. Ukuba i-ACL iqulethe zombini "isenzo" (imvume / ukukhanyela) kunye "nesenzo sokuguqula" (ukubala/QoS/log/...), ngoko ke kwimeko yeematshisi ezininzi kuphela "inyathelo" eliphambili eliya kwenziwa, ngelixa "isenzo". -modifierβ iya kugqitywa yonke. Lo mzekelo ungezantsi ubonisa ukuba zombini izixhobo zokubala ziya kwandiswa kwaye okuphambili okuphezulu "ukuphika" kuya kuphunyezwa.
ngolwazi oluthe kratya malunga nokusebenza kwe-ACL kwindawo yoluntu kwiwebhusayithi . Nayiphi na imibuzo ephakamayo okanye eshiyekileyo inokusoloko ibuzwa kubasebenzi bethu baseofisini - .
umthombo: www.habr.com