Untitled :: Microchip UNG BSP Documentation

1. Egress ACL

The ES2 VCAP is part of EACL and enables egress access control lists using VCAP functionality. The LAN966x does not have an ES2 VCAP.

When a frame is egressing on a port it is classified into one of the following traffic types by the ES2 VCAP:

Traffic Type	Sparx5	LAN966x
IPv4	✔	·
IPv6	✔	·
Other	✔	·

Traffic Type

Sparx5

LAN966x

IPv4

✔

IPv6

✔

Other

✔

2. Sparx5 IS2 ACL frame classification

The valid combinations of Sparx5 ES2 lookup keyset versus Traffic Type are:

Sparx5 ES2 keyset - Traffic Type	Size	IPv4	IPv6	Other
ARP	6	·	·	✔
IP4_OTHER	6	✔	✔	·
IP4_TCP_UDP	6	✔	✔	·
MAC_ETYPE	6	✔	✔	✔
IP_7TUPLE	12	✔	✔	·

Sparx5 ES2 keyset - Traffic Type

Size

IPv4

IPv6

Other

✔

✔

✔

✔

✔

In this release the Sparx5s port keyset configuration varies for the 2 ES2 lookups:

Sparx5 IS2 Lookup - Traffic Type	IPv4	IPv6	Other
Lookup 0	MAC_ETYPE	MAC_ETYPE	MAC_ETYPE
Lookup 1	IP4_TCP_UDP IP4_OTHER	IP_7TUPLE	ARP

Sparx5 IS2 Lookup - Traffic Type

IPv4

IPv6

Other

Lookup 0

MAC_ETYPE

Lookup 1

IP4_TCP_UDP IP4_OTHER

IP_7TUPLE

ARP

This will most likely be changed so that both lookups use the same configuration in a future release, as it is possible to change the configuration by using a template.

3. Sparx5 Keysets

3.1. ARP

This keyset is generated when Ethertype is 0x0806 (ARP) or 0x8035 (RARP).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype arp or vlan_ethtype rarp
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
arp_tip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	arp_tip 10.10.10.10 or arp_tip 10.10.0.0/255.255.0.0
arp_sip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	arp_sip 10.10.10.10 or arp_sip 10.10.0.0/255.255.0.0
arp_op	request or reply	arp_op request or arp_op reply

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype arp or vlan_ethtype rarp

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

arp_tip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

arp_tip 10.10.10.10 or arp_tip 10.10.0.0/255.255.0.0

arp_sip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

arp_sip 10.10.10.10 or arp_sip 10.10.0.0/255.255.0.0

arp_op

request or reply

arp_op request or arp_op reply

The filter below matches on classified VLAN tag, and all supported IPv4 fields.

The filter in inserted into chain 20100000 (lookup 1), as this is were the ARP keyset is configured currently.

# tc qdisc add dev eth12 clsact

# tc filter add dev eth12 egress chain 20100000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype arp \
  src_mac 00:33:33:33:33:33 \
  arp_tip 10.10.10.10  \
  arp_sip 20.20.20.20/255.255.0.0 \
  arp_op reply \
  action pass

3.2. IP4_OTHER

This keyset is generated when Ethertype is 0x0800 and IP protocol is neither TCP (6) nor UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv4
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
src_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0
dst_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0
ip_proto	<IP_PROTO>	ip_proto 1 or ip_proto icmp.

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv4

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

src_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0

dst_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0

ip_proto

<IP_PROTO>

ip_proto 1 or ip_proto icmp.

This filter matches on classified VLAN tag, and all supported IPv4 fields.

The filter in inserted into chain 20100000 (lookup 1), as this is were the IP4_OTHER keyset is configured currently.

# tc qdisc add dev eth49 clsact

# tc filter add dev eth49 egress chain 20100000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv4 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto icmp \
  action pass

3.3. IP4_TCP_UDP

This keyset is generated when Ethertype is 0x0800 and IP protocol is either TCP (6) or UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv4
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
src_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0
dst_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0
ip_proto	<IP_PROTO>	ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.
tcp_flags	<FLAGS> or <FLAGS>/<FLAGS_MASK>	tcp_flags 0x1a or tcp_flags 0x10/0x3f
src_port	<PORT> or <PORT>/<PORT_MASK>	src_port 1000 or src_port 0x200/0xff0
dst_port	<PORT> or <PORT>/<PORT_MASK>	dst_port 2000 or dst_port 0x100/0xff0 NOTE: Sparx5: Use Lookup 1 as this is configured with the IP4_TCP_UDP keyset.

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv4

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

src_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0

dst_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0

ip_proto

<IP_PROTO>

ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.

tcp_flags

tcp_flags 0x1a or tcp_flags 0x10/0x3f

src_port

src_port 1000 or src_port 0x200/0xff0

dst_port

dst_port 2000 or dst_port 0x100/0xff0

NOTE: Sparx5: Use Lookup 1 as this is configured with the IP4_TCP_UDP keyset.

This filter matches on classified VLAN tag, and all supported IPv4/TCP fields.

The filter in inserted into chain 20100000 (lookup 1), as this is were the IP4_TCP_UDP keyset is configured currently.

# tc qdisc add dev eth12 clsact

# tc filter add dev eth12 egress chain 20100000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv4 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action pass

3.4. MAC_ETYPE

This keyset is generated when frame is not classified to one of the above keys.

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 0x892f or vlan_ethtype hsr
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 0x892f or vlan_ethtype hsr

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

This filter matches on classified VLAN tag, and all supported ETYPE fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 egress chain 20000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype 0xdeed \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action pass

3.5. IP_7TUPLE

This keyset matches both IPv4 and IPv6 traffic. It does not have IPv4 source and destination address keys.

Flower key Value Example

Flower key	Value	Example
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 802.1q or vlan_ethtype ip Note: Supports the same values as in `tc filter` protocol field.
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part).
src_ip	<IPv6 ADDR>	src_ip 2001:0:0:0:e1de:2244:0ff8:0123
dst_ip	<IPv6 ADDR>	dst_ip 2001:0:0:0:e1de:2244:0ff8:4567
ip_proto	<IP_PROTO>	ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.
src_port	<PORT> or <PORT>/<PORT_MASK>	src_port 1000 or src_port 0x200/0xff0
dst_port	<PORT> or <PORT>/<PORT_MASK>	dst_port 2000 or dst_port 0x100/0xff0

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 802.1q or vlan_ethtype ip

Note: Supports the same values as in tc filter protocol field.

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f.

Note: Only the 6 LSBs can be matched in IS1 (The DSCP part).

src_ip

src_ip 2001:0:0:0:e1de:2244:0ff8:0123

dst_ip

dst_ip 2001:0:0:0:e1de:2244:0ff8:4567

ip_proto

<IP_PROTO>

ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.

src_port

src_port 1000 or src_port 0x200/0xff0

dst_port

dst_port 2000 or dst_port 0x100/0xff0

This filter matches on classified VLAN tag, and all supported IPv6/TCP fields.

The filter in inserted into chain 20100000 (lookup 1) as this is where the IP_7TUPLE keyset is currently configured.

# tc qdisc add dev eth48 clsact

# tc filter add dev eth48 egress chain 20100000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv6 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action pass

3.6. ES2 Actions

The ES2 lookups supports the actions shown in this table.

Flower action	Example	Description	Sparx5	LAN966x
pass	action pass	This is a no-op action.	✔	·
goto chain <CHAIN>	action goto chain 20100000	Which chain to go to after this match. Not needed for the last lookup.	✔	· NOTE: More actions are to be added in future releases.

Flower action

Example

Description

Sparx5

LAN966x

pass

action pass

This is a no-op action.

✔

goto chain <CHAIN>

action goto chain 20100000

Which chain to go to after this match. Not needed for the last lookup.

✔

NOTE: More actions are to be added in future releases.