Intel® IXP400 Software

Access-Layer Components: Ethernet Database (IxEthDB) API

FCS, for example) that causes the frame to exceed the maximum frame size, the frame will not be transmitted. The TxLargeFramesDiscard counter will be incremented (see Chapter 9).

The maximum supported value is 16,320 bytes. For purposes of clarification, the number of bytes making up the Maximum Frame Size value is the Ethernet MSDU (Media Service Data Unit) and defined as the sum of the sizes of:

the Ethernet header: dest MAC + src MAC + VLAN Tag and/or length/type field

the Ethernet payload

the Ethernet frame check sequence (FCS), if not stripped out by IxEthAccPortRxFrameFcsDisable().

10.3.2.1Filtering Example Based Upon Maximum Frame Size

On a system with three ports (0, 1, 2), execute:

ixEthDBFilteringPortMaximumFrameSizeSet(0, 9014); ixEthDBFilteringPortMaximumFrameSizeSet(1, 9014); ixEthDBFilteringPortMaximumFrameSizeSet(2, 1514).

The NPE on Ports 0 and 1 will filter all Rx frames over 9,014 bytes.

A frame of 1,000 bytes is received on Port 2. The NPE will determine the destination port based on learned MAC address, and:

If the port is unknown, process the frame.

If the destination port is 0 or 1, process the frame.

If the port is 2, drop the frame according to the normal MAC filtering rules.

A frame of 3,000 bytes is received on Port 2, it will be dropped according to the frame size setting.

10.3.3Source MAC Address Firewall

The Ethernet NPE firmware provides three firewall-related services, each of which is capable of filtering a frame based on the value of its source MAC address field:

Invalid MAC address filtering

MAC address block (black list)

MAC address admission (white list)

This feature is dependent on the run-time NPE configuration and specific NPE image capabilities, described in “Feature Set” on page 178 and Chapter 14). Each NPE supporting this feature can be configured independently of the others.

MAC Address Block/Admission

IxEthDB supports per-NPE MAC address-based firewall lists and provides the API to add/remove these MAC addresses, as well as to configure the NPE firewall. There are two firewall operating modes:

Programmer’s Guide

IXP400 Software Version 2.0

April 2005

 

Document Number: 252539, Revision: 007

161

Page 161
Image 161
Intel IXP400 Source MAC Address Firewall, Filtering Example Based Upon Maximum Frame Size, MAC Address Block/Admission