Acl Tcam

3,140 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,140
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
68
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Acl Tcam

  1. 1. <ul><ul><ul><li>Design Considerations for ACL TCAM </li></ul></ul></ul><ul><ul><ul><li>resource management </li></ul></ul></ul><ul><ul><ul><li>algorithms </li></ul></ul></ul>A. Sivaramakrishnan April 2005
  2. 2. Agenda <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Management Framework </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><li>Data Plane Operation </li></ul>Page
  3. 3. Ternary CAM – an Overview <ul><li>Specialized piece of memory for rapid lookups </li></ul><ul><li>Ternary – because 0, 1 & X (Don’t care) </li></ul><ul><li>X </li></ul><ul><li>- acts as wildcard during the search </li></ul><ul><li>- attractive for implementing longest prefix match </li></ul><ul><li>Consists of Mask, Value, Result </li></ul><ul><li>Mask – The pattern to be matched </li></ul><ul><li>Eg. IP Addr, L4 Ports, etc </li></ul><ul><li>Value – Mask bit associated with the pattern </li></ul><ul><li>Result – Action that occurs when a lookup </li></ul><ul><li>returns a hit for the pattern & mask </li></ul><ul><li>Eg. Permit, Deny, etc </li></ul>Page
  4. 4. Mask Value Arrangement <ul><li>1 – Many </li></ul><ul><li>1 - 1 </li></ul>Page Mask 1 Mask 2 Mask 2 Mask 3 Mask 4 Mask 5 Mask6 Value 2 Value 3 Value 4 Value 7 Value 6 Value 1 Value 1 Value 2 Value 3 Value 4 Value 5 Value 6 Value 7 Value 8 Value 1 Value 2 Value 3 Value 4 Value 5 Value 6 Value 7 Value 8 Mask 1
  5. 5. Programming Values & Masks <ul><li>10.76.34.68 </li></ul><ul><li>255.255.255.255 </li></ul><ul><li>176.24.34.0 </li></ul><ul><li>255.255.255.0 </li></ul><ul><li>176.24.34.85 </li></ul><ul><li>255.255.255.255 </li></ul><ul><li>176.24.34.0 </li></ul><ul><li>255.255.255.64 </li></ul>Page <ul><li>Mask 2 </li></ul><ul><li>Mask 3 </li></ul><ul><li>Mask 1 </li></ul><ul><li>Mask 1 </li></ul>Entries pertaining to a particular mask should be grouped as much as possible, in case of one-many mask-entry arrangement mechanism
  6. 6. Where we are? <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Management Framework </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><li>Data Plane Operation </li></ul>Page
  7. 7. Flow Key <ul><li>What Constitutes a TCAM Entry? </li></ul><ul><ul><ul><li>ACL Policies , QOS Policies, Route Table Entries </li></ul></ul></ul><ul><li>ACL/QOS Policies </li></ul><ul><ul><ul><li>L4 Source, Destination Port Information </li></ul></ul></ul><ul><ul><ul><li>L2/L3 Source, Destination Addresses </li></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny a particular port </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny a range of ports </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny a set of ports except a particular port </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny a set of ports greater/less than particular port </li></ul></ul></ul></ul><ul><ul><ul><li>Action to take (Result) </li></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny + log the packet info </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Permit / Deny via software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Redirect </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Bridge </li></ul></ul></ul></ul><ul><ul><ul><li>Ingress/Egress Direction </li></ul></ul></ul><ul><li>Route Table Entries </li></ul><ul><ul><ul><li>Source Destination IP Address, Protocol, Next Hop, Metric, Interface </li></ul></ul></ul>Page
  8. 8. Flow Key Fields <ul><ul><li>Source IP Address </li></ul></ul><ul><ul><li>Destination IP Address </li></ul></ul><ul><ul><li>Lookup Type </li></ul></ul><ul><ul><li>Packet Type </li></ul></ul><ul><ul><li>MPLS Packet </li></ul></ul><ul><ul><li>L4 Protocol </li></ul></ul><ul><ul><li>More Fragment Bit </li></ul></ul><ul><ul><li>Fragment Details </li></ul></ul><ul><ul><li>L4 Operation </li></ul></ul><ul><ul><li>L4 Source Port </li></ul></ul><ul><ul><li>L4 Destination Port </li></ul></ul><ul><ul><li>TOS </li></ul></ul><ul><ul><li>IGMP Message Type </li></ul></ul><ul><ul><li>ICMP Code </li></ul></ul><ul><ul><li>ICMP Type </li></ul></ul><ul><ul><li>ESP Security ID </li></ul></ul><ul><ul><li>IPv6 TAG </li></ul></ul><ul><ul><li>Recirculation Bit </li></ul></ul><ul><ul><li>Interface Details </li></ul></ul>Page
  9. 9. Where we are ? <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Management Framework </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><li>Data Plane Operation </li></ul>Page
  10. 10. TCAM Resource Management Framework Page Resource Management Algorithm Driver TCAM Hardware
  11. 11. Where we are? <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Resource Management Framework (TRMF) </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><ul><li>Sequence of Events during hardware programming </li></ul></ul><ul><ul><li>Design Focus </li></ul></ul><ul><ul><li>Reducing number of entries </li></ul></ul><ul><ul><li>Error Recovery </li></ul></ul><ul><ul><li>Optimized CPU Utilization </li></ul></ul><ul><li>Data Plane Operation </li></ul>Page
  12. 12. When program the ACL TCAM? <ul><li>Apply ACL to an interface </li></ul><ul><li>Remove ACL from interface </li></ul><ul><li>Modify ACL applied to an interface </li></ul><ul><li>Bring up/down interfaces with ACL </li></ul><ul><li>Add/del interfaces with ACL </li></ul><ul><li>Reuse ACL on different interfaces </li></ul>Page <ul><li>Concept </li></ul><ul><ul><li>Order Dependent / Order Independent ACLs </li></ul></ul>
  13. 13. TCAM Resource Management Algorithm - Sequence of Events <ul><li>Once the ACLs are (de)configured, the following sequence of events would takes place </li></ul><ul><ul><li>The ACL parameters to be passed to TRMF using message based interface </li></ul></ul><ul><ul><li>Callback functions can be used, if required </li></ul></ul><ul><ul><li>TRMF wait on infinite queue </li></ul></ul><ul><ul><li>Receive message </li></ul></ul><ul><ul><li>Manipulate the info received from the message (use guidelines in the next slide for message processing) step by step </li></ul></ul><ul><ul><li>Program the software tables for each of above steps </li></ul></ul><ul><ul><li>Program the software table delta in the hardware </li></ul></ul><ul><ul><li>In case a response needs to be sent back, send success/failure of the message </li></ul></ul>Page
  14. 14. TCAM Resource Managing Algorithm - Design Focus <ul><li>Use minimal number of entries in the TCAM </li></ul><ul><li>Efficient algorithms to manage CPU utilization, huge number of TCAM Entries </li></ul><ul><li>Optimal programs to search, add, remove, modify entries </li></ul><ul><li>Error recovery, in case of exceptions </li></ul><ul><li>Easy to use, user interface for the users to identify relation between various entities </li></ul><ul><li>Take care of entries being disturbed from multiple points </li></ul>Page
  15. 15. Reducing Number of TCAM Entries <ul><li>Logical Operations with TCP/UDP Port Numbers </li></ul><ul><li>Merging ACLs </li></ul><ul><li>Mask space freeing </li></ul>Page
  16. 16. Logical operations for TCP/UDP <ul><ul><li>L4 Operations </li></ul></ul><ul><ul><li> Greater Than , Less Than </li></ul></ul><ul><ul><li> Range </li></ul></ul><ul><ul><li> Not equal To, equal to </li></ul></ul><ul><ul><li>All logical operations except ‘equal to’ might take more than 1 TCAM entry space </li></ul></ul><ul><ul><li>Port Numbers : 0 – 65535 </li></ul></ul><ul><ul><li>Assume an Entry </li></ul></ul><ul><ul><ul><li>permit </li></ul></ul></ul><ul><ul><ul><li>Source:IP 10.34.25.0/24, TCP Port Greater than 36 </li></ul></ul></ul><ul><ul><ul><li>Dest :IP 20.34.25.0/24, TCP Port Range 60000 64000 </li></ul></ul></ul><ul><ul><li>Port greater than 36=> 65536-36 = 65500 entries required </li></ul></ul><ul><ul><li>Range 60000 to 64000 = 4000 entries required </li></ul></ul><ul><ul><li>Concerns </li></ul></ul><ul><ul><ul><ul><li>Uses more TCAM space </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Takes more lookup time </li></ul></ul></ul></ul>Page
  17. 17. Optimizing Logical operations for TCP/UDP Page <ul><li>For optimizing ACL Flow Keys maintain the logical </li></ul><ul><li>operations for TCP/UDP in separate set of port registers </li></ul><ul><li>Use those registers for all logical operations except ‘equal to’ </li></ul><ul><li>Use just 1 ACL TCAM entry & refer to those port registers in </li></ul><ul><li>the flow key </li></ul><ul><li>ACL Flowkey optimized for TCP/UDP logical operations </li></ul>Refer Port Registers Reg 0 Reg 1 Reg 2 Reg 3 Reg 4 Reg 5 Reg 6 Reg 7 Reg 8 Reg 9 Reg 10 Reg 11 Reg 12 Reg 13 Reg 14 Reg 15 Greater than 34 Range 60000 64000
  18. 18. Merging ACLs <ul><li>Scenario 1 </li></ul><ul><ul><li>Entry1 </li></ul></ul><ul><ul><ul><li>Permit, source: ip 10.20.34.0/24 dest: ip 20.20.34.0/24 </li></ul></ul></ul><ul><ul><li>Entry2 </li></ul></ul><ul><ul><ul><li>Permit, source: ip 10.20.34.5/32 dest: ip 20.20.34.0/24 </li></ul></ul></ul><ul><ul><li>Entry2 subset of Entry11. Use single entry instead of 2 </li></ul></ul><ul><li>Scenario 2 </li></ul><ul><ul><li>Entry1, 2, 3 respectively are : </li></ul></ul><ul><ul><ul><li>deny, source: ip 10.20.34.0/24 dest: ip 20.20.34.0/24 </li></ul></ul></ul><ul><ul><ul><li>Permit, source: ip 10.20.34.5/32 dest: ip 20.30.34.0/24 </li></ul></ul></ul><ul><ul><ul><li>Permit, source: ip 10.20.34.10/32 dest: ip 20.40.34.0/24 </li></ul></ul></ul><ul><ul><li>Entry 1 superset of entries 2 & 3. </li></ul></ul><ul><ul><li>The packet is denied at Entry1, packet never hits entries 2 & 3 </li></ul></ul><ul><ul><li>So, use only 1 entry space </li></ul></ul>Page
  19. 19. Mask Space freeing <ul><li>Prevents lookup of 2 mask spaces </li></ul><ul><li>Saves TCAM space for 2 nd mask </li></ul>Page Mask 1 E1, E2, E3, E4 E5, E6, E7, E8 Mask 2 E9, E10, E11 Mask 1 E20, E21 Mask 1 E1, E2, E3, E4 E5, E20, E21, E8 Mask 2 E9, E10, E11 Delete Entry E6 & E7
  20. 20. Error Recovery <ul><li>Usually number of entries, sequence, etc unpredictable while programming </li></ul><ul><li>So, contingency management framework necessary </li></ul><ul><li>Example: </li></ul><ul><ul><li>Say 10 entries to be programmed, only 8 free spaces in software </li></ul></ul><ul><ul><li>Non availability of space would be known only during programming 9 th entry </li></ul></ul><ul><ul><li>Now, TRMF should return failure </li></ul></ul><ul><ul><li>The 8 entries needs to be removed now </li></ul></ul>Page
  21. 21. Hardware programming - Optimization techniques <ul><li>Algorithms update software tables </li></ul><ul><li>Entries in software to be updated in the hardware </li></ul><ul><li>Programming all the entries is tedious </li></ul><ul><li>Transfer only the delta in software table to the hardware </li></ul><ul><li>Identifying delta </li></ul><ul><ul><li>Use separate data structures </li></ul></ul><ul><ul><li>Example: bitlists can track delta </li></ul></ul><ul><ul><li>Divide the software table into 2 parts. Program the delta separately, once programmed transfer delta to permanent area </li></ul></ul>Page
  22. 22. Where we are ? <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Management Framework </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><li>Data Plane Operation </li></ul>Page
  23. 23. Data Path Operation Page B Use reg info to form the flowkey get the interface info Get the rest of info from the packet A B C form a flow key lookup reg for layer4 info lookup TCAM Use result Use default result start identify the packet get packet header parse the fields A C Get layer 4 info start
  24. 24. Recap <ul><li>Ternary CAM – an Overview </li></ul><ul><li>ACL Flow Key </li></ul><ul><li>Typical TCAM Management Framework </li></ul><ul><li>TCAM Resource Managing Algorithm </li></ul><ul><li>Data Plane Operation </li></ul>Page
  25. 25. Page Imagination Action Joy

×