Intel IXP400 manual 10.3.4 802.1Q Vlan, Invalid MAC Address Filtering

Intel® IXP400 Software

Access-Layer Components: Ethernet Database (IxEthDB) API

•allow / white list state – only incoming packets with a source MAC addresses found in the firewall list are allowed

•deny / black list state – all incoming packets are allowed except for those whose source address is found in the firewall list.

The firewall lists support a maximum of 31 addresses. This feature is disabled by default and there are no pre-defined firewall records. When enabled, it operates in black list mode until reconfigured. The firewall feature can be freely turned on or off and reconfigured at run time.

IxEthDB contains an Ethernet Firewall Database that contains MAC address / port ID records for this firewall feature. MAC addresses are unique database keys only within the configuration data of each port. Multiple ports can use the same MAC address entry if individually added to each port.

Also, the firewall records are independent of the XScale Learning/Filtering Database and other databases within IxEthDB. Once configured, the API is used to download a firewall filtering table to the NPE.

A typical usage scenario of this feature would consist of the following steps:

1.Enable the IX_ETH_DB_FIREWALL feature

2.Set the firewall operating mode (white list or black list)

3.Add addresses to be blocked (black list mode) or specifically allowed (white list mode)

4.Download the firewall configuration data using ixEthDBFirewallTableDownload(port)

Invalid MAC Address Filtering

According to IEEE802, it is illegal for the source address of an Ethernet frame to be either a broadcast address or a multicast address. These broadcast/multicast addresses are distinguished by the value of their first bit (i.e., the least significant bit of the first byte). If the first bit of the MAC address is 1, the MAC address is either a broadcast or multicast address.

IxEthDB can be used to enable invalid source MAC address filtering in the NPE. When this feature is enabled, the NPE will inspect the source MAC address of incoming packets and drop packets whose source MAC address is a multicast or broadcast address. IxEthDB disables this feature by default.

10.3.4802.1Q VLAN

The IxEthDB component provides support for VLAN features when using NPE microcode images that include VLAN support. All the major VLAN features defined in IEEE 802.1Q are supported. These include:

•Acceptable frame type filtering for each ingress port

•VLAN tagging and tag removal for each ingress and egress port

•VLAN membership filtering for each ingress port

•VLAN tagging and tag removal control for individual egress packets

•Support for a maximum of 4095 VLAN groups

This feature makes heavy use of the IX_OSAL_MBUF header flag fields to allow a client application to make VLAN-based processing decisions. Their NPE behavior for these header fields is documented in this section. However, refer to Chapter 9 for a more comprehensive understanding of the data path.