ACL (IS2)

ACL (access-control list) in Microchip switch products is based on VCAP IS2 lookups and can be used for the following purposes:

Permit frame
Drop frame
Police frame
Mirror frame
Extract frame to CPU

When a frame is received on a port it is classified into one of the following traffic types by the IS2 VCAP:

Traffic Type	Sparx5	LAN966x
IPv4 MC	✔	·
IPv4 UC	✔	·
IPv6 MC	✔	·
IPv6 UC	✔	·
IPv4 TCP/UDP	·	✔
IPv4 Other	·	✔
IPv6 TCP/UDP	·	✔
IPv6 Other	·	✔
OAM	·	✔
SNAP	·	✔
LLC	·	✔
ARP/RARP	✔	✔
Other frames	✔	✔

Traffic Type

Sparx5

LAN966x

IPv4 MC

✔

IPv4 UC

✔

IPv6 MC

✔

IPv6 UC

✔

IPv4 TCP/UDP

✔

IPv4 Other

✔

IPv6 TCP/UDP

✔

IPv6 Other

✔

OAM

✔

SNAP

✔

LLC

✔

ARP/RARP

✔

Other frames

✔

All frame types are subject to the appropriate lookups according to the VCAP. See VCAP Information.

Each port is configured to generate a specific keyset (a set of key values extracted from a frame) for each combination of Traffic Type and lookup.

A keyset is an internal value used by the hardware. A flower key is what the user specifies in the tc flower filter command.

1. Sparx5 IS2 ACL frame classification

The valid combinations of Sparx5 IS2 lookup keyset versus Traffic Type are:

Sparx5 IS2 keyset - Traffic Type	Size	IPv4 UC/MC	IPv6 UC/MC	ARP/RARP	Other
ARP	6	·	·	✔	·
IP4_OTHER	6	✔	✔	·	·
IP4_TCP_UDP	6	✔	✔	·	·
IP_7TUPLE	12	✔	✔	·	·
MAC_ETYPE	6	✔	✔	·	✔

Sparx5 IS2 keyset - Traffic Type

Size

IPv4 UC/MC

IPv6 UC/MC

ARP/RARP

Other

✔

✔

✔

✔

✔

The unicast and multicast configurations are set to the same value.

The IPv4 configuration can be setup to generate IP4_TCP_UDP for IPv4 TCP/UDP traffic and IP4_OTHER for non-TCP/UDP IPv4 traffic.

Similarly the IPv6 configuration can be setup to generate IP4_TCP_UDP for IPv6 TCP/UDP traffic and IP4_OTHER for non-TCP/UDP IPv6 traffic.

In this release the Sparx5s port keyset configuration varies for the 4 IS2 lookups:

Sparx5 IS2 Lookup - Traffic Type	IPv4 UC/MC	IPv6 UC/MC	ARP/RARP	Other
Lookup 0	MAC_ETYPE	MAC_ETYPE	MAC_ETYPE	MAC_ETYPE
Lookup 1	IP4_TCP_UDP IP4_OTHER	IP_7TUPLE	ARP	MAC_ETYPE
Lookup 2	IP_7TUPLE	IP_7TUPLE	ARP	MAC_ETYPE
Lookup 3	IP_7TUPLE	IP_7TUPLE	MAC_ETYPE	MAC_ETYPE

Sparx5 IS2 Lookup - Traffic Type

IPv4 UC/MC

IPv6 UC/MC

ARP/RARP

Other

Lookup 0

MAC_ETYPE

Lookup 1

IP4_TCP_UDP IP4_OTHER

IP_7TUPLE

ARP

MAC_ETYPE

Lookup 2

IP_7TUPLE

ARP

MAC_ETYPE

Lookup 3

IP_7TUPLE

MAC_ETYPE

This will most likely be changed so that all lookups use the same configuration in a future release, as it is possible to change the configuration by using a template, and LAN966x uses the same configuration for all lookups.

2. LAN966x IS2 ACL frame classification

The valid combinations of Sparx5 IS2 lookup keyset versus Traffic Type are:

LAN966x IS2 keyset - Traffic Type	Size	IPv4 TCP/UDP	IPv4 Other	IPv6 TCP/UDP	IP6 Other	OAM	SNAP	ARP/RARP	Other
ARP	2	·	·	·	·	·	·	✔	·
IP4_OTHER	2	·	✔	·	✔	·	·	·	·
IP4_TCP_UDP	2	✔	·	✔	·	·	·	·	·
IP6_OTHER	4	·	·	·	✔	·	·	·	·
IP6_TCP_UDP	4	·	·	✔	·	·	·	·	·
MAC_ETYPE	2	✔	✔	✔	✔	✔	·	✔	✔
MAC_LLC	2	·	·	·	·	·	✔	·	·
MAC_SNAP	2	·	·	·	·	·	✔	·	·
OAM	2	·	·	·	·	✔	·	·	·

LAN966x IS2 keyset - Traffic Type

Size

IPv4 TCP/UDP

IPv4 Other

IPv6 TCP/UDP

IP6 Other

OAM

SNAP

ARP/RARP

Other

✔

✔

✔

✔

✔

✔

✔

✔

✔

The IS2 VCAP has two additional lookup keys, IP6_STD and CUSTOM, which are currently not used.

The IP6 keys are twice as large as the other keys which means that they occupy twice as much space in the VCAP when used.

The supported flower keys for each IS2 lookup keyset are described next and here is also shown examples on how to use the actions.

A more thorough description of the actions is found in the section IS2 Actions

3. IS2 keysets

3.1. IP_7TUPLE

This keyset is used for both IPv4 and IPv6 traffic. It does not have IPv4 source and destination addresses though.

Flower key Value Example

Flower key	Value	Example
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 802.1q or vlan_ethtype ip Note: Supports the same values as in `tc filter` protocol field.
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f. Note: Only the 6 LSBs can be matched in IS1 (The DSCP part).
src_ip	<IPv6 ADDR>	src_ip 2001:0:0:0:e1de:2244:0ff8:0123
dst_ip	<IPv6 ADDR>	dst_ip 2001:0:0:0:e1de:2244:0ff8:4567
ip_proto	<IP_PROTO>	ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.
src_port	<PORT> or <PORT>/<PORT_MASK>	src_port 1000 or src_port 0x200/0xff0
dst_port	<PORT> or <PORT>/<PORT_MASK>	dst_port 2000 or dst_port 0x100/0xff0

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 802.1q or vlan_ethtype ip

Note: Supports the same values as in tc filter protocol field.

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f.

Note: Only the 6 LSBs can be matched in IS1 (The DSCP part).

src_ip

src_ip 2001:0:0:0:e1de:2244:0ff8:0123

dst_ip

dst_ip 2001:0:0:0:e1de:2244:0ff8:4567

ip_proto

<IP_PROTO>

ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.

src_port

src_port 1000 or src_port 0x200/0xff0

dst_port

dst_port 2000 or dst_port 0x100/0xff0

This filter matches on classified VLAN tag, and all supported IPv6/TCP fields.

The filter in inserted into chain 8200000 (lookup 2), traps all matching packets and goes to lookup 3 in IS2 (chain 8300000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8200000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv6 \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action trap \
  action goto chain 8300000

3.2. IP6_TCP_UDP

This keyset is generated when Ethertype is 0x86dd and Next header is either TCP (6) or UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv6
ip_ttl	<TTL>	ip_ttl 1
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
src_ip	<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>	src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 or src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123/32
dst_ip	<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>	dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 or dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64
ip_proto	<IP_PROTO>	ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.
tcp_flags	<FLAGS> or <FLAGS>/<FLAGS_MASK>	tcp_flags 0x1a or tcp_flags 0x10/0x3f
src_port	<PORT> or <PORT>/<PORT_MASK>	src_port 1000 or src_port 0x200/0xff0
dst_port	<PORT> or <PORT>/<PORT_MASK>	dst_port 2000 or dst_port 0x100/0xff0

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv6

ip_ttl

<TTL>

ip_ttl 1

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

src_ip

<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>

src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 or src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123/32

dst_ip

<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>

dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 or dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64

ip_proto

<IP_PROTO>

ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.

tcp_flags

tcp_flags 0x1a or tcp_flags 0x10/0x3f

src_port

src_port 1000 or src_port 0x200/0xff0

dst_port

dst_port 2000 or dst_port 0x100/0xff0

This filter matches on classified VLAN tag, and all supported IPv6/TCP fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv6 \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol ipv6 flower skip_sw \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action drop \
  action goto chain 8100000

3.3. IP6_OTHER

This keyset is generated when Ethertype is 0x86dd and Next header is neither TCP (6) nor UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv6
ip_ttl	<TTL>	ip_ttl 1
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
src_ip	<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>	src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 or src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123/32
dst_ip	<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>	dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 or dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64
ip_proto	<IP_PROTO>	ip_proto 58 or ip_proto icmpv6.

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv6

ip_ttl

<TTL>

ip_ttl 1

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

src_ip

<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>

src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 or src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123/32

dst_ip

<IPv6_ADDR> or <IPv6_ADDR>/<PREFIX>

dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567 or dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64

ip_proto

<IP_PROTO>

ip_proto 58 or ip_proto icmpv6.

This filter matches on classified VLAN tag, and all supported IPv6 fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv6 \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto icmpv6 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol ipv6 flower skip_sw \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  src_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:0123 \
  dst_ip 2001:0db8:3c4d:0015:e1de:2244:0ff8:4567/64 \
  ip_proto icmpv6 \
  action drop \
  action goto chain 8100000

3.4. IP4_TCP_UDP

This keyset is generated when Ethertype is 0x0800 and IP protocol is either TCP (6) or UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv4
ip_ttl	<TTL>	ip_ttl 1
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
src_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0
dst_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0
ip_proto	<IP_PROTO>	ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.
tcp_flags	<FLAGS> or <FLAGS>/<FLAGS_MASK>	tcp_flags 0x1a or tcp_flags 0x10/0x3f
src_port	<PORT> or <PORT>/<PORT_MASK>	src_port 1000 or src_port 0x200/0xff0
dst_port	<PORT> or <PORT>/<PORT_MASK>	dst_port 2000 or dst_port 0x100/0xff0 NOTE: Sparx5: Use Lookup 1 as this is configured with the IP4_OTHER keyset. The drop action is not available for IS2.

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv4

ip_ttl

<TTL>

ip_ttl 1

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

src_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0

dst_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0

ip_proto

<IP_PROTO>

ip_proto 6, ip_proto tcp, ip_proto 17 or ip_proto udp.

tcp_flags

tcp_flags 0x1a or tcp_flags 0x10/0x3f

src_port

src_port 1000 or src_port 0x200/0xff0

dst_port

dst_port 2000 or dst_port 0x100/0xff0

NOTE: Sparx5: Use Lookup 1 as this is configured with the IP4_OTHER keyset. The drop action is not available for IS2.

This filter matches on classified VLAN tag, and all supported IPv4/TCP fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv4 \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol ipv4 flower skip_sw \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto tcp \
  tcp_flags 0x10/0x3f \
  src_port 1000 \
  dst_port 2000 \
  action drop \
  action goto chain 8100000

3.5. IP4_OTHER

This keyset is generated when Ethertype is 0x0800 and IP protocol is neither TCP (6) nor UDP (17).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype ipv4
ip_ttl	<TTL>	ip_ttl 1
ip_tos	<TOS> or <TOS>/<TOS_MASK>	ip_tos 0x12 or ip_tos 0x4/0x3f
ip_flags	<IP_FLAG>[/<IP_FLAG>]	ip_flags { [no]frag \| [no]firstfrag }
src_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0
dst_ip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0
ip_proto	<IP_PROTO>	ip_proto 1 or ip_proto icmp.

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype ipv4

ip_ttl

<TTL>

ip_ttl 1

ip_tos

ip_tos 0x12 or ip_tos 0x4/0x3f

ip_flags

<IP_FLAG>[/<IP_FLAG>]

ip_flags { [no]frag | [no]firstfrag }

src_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

src_ip 10.10.10.10 or src_ip 10.10.0.0/255.255.0.0

dst_ip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

dst_ip 20.20.20.20, dst_ip 20.20.0.0/255.255.0.0

ip_proto

<IP_PROTO>

ip_proto 1 or ip_proto icmp.

This filter matches on classified VLAN tag, and all supported IPv4 fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

Sparx5: Use Lookup 1 as this is configured with the IP4_OTHER keyset. The drop action is not available for IS2.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype ipv4 \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto icmp \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol ipv4 flower skip_sw \
  ip_ttl 1 \
  ip_tos 0xf/0x3f \
  ip_flags frag/nofirstfrag \
  src_ip 10.10.10.10  \
  dst_ip 20.20.20.20/255.255.0.0 \
  ip_proto icmp \
  action drop \
  action goto chain 8100000

3.6. ARP

This keyset is generated when Ethertype is 0x0806 (ARP) or 0x8035 (RARP).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype arp or vlan_ethtype rarp
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
arp_tip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	arp_tip 10.10.10.10 or arp_tip 10.10.0.0/255.255.0.0
arp_sip	<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>	arp_sip 10.10.10.10 or arp_sip 10.10.0.0/255.255.0.0
arp_op	request or reply	arp_op request or arp_op reply

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype arp or vlan_ethtype rarp

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

arp_tip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

arp_tip 10.10.10.10 or arp_tip 10.10.0.0/255.255.0.0

arp_sip

<IPv4_ADDR> or <IPv4_ADDR>/<IPv4_ADDR_MASK>

arp_sip 10.10.10.10 or arp_sip 10.10.0.0/255.255.0.0

arp_op

request or reply

arp_op request or arp_op reply

This filter matches on classified VLAN tag, and all supported IPv4 fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype arp \
  src_mac 00:33:33:33:33:33 \
  arp_tip 10.10.10.10  \
  arp_sip 20.20.20.20/255.255.0.0 \
  arp_op reply \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol arp flower skip_sw \
  src_mac 00:33:33:33:33:33 \
  arp_tip 10.10.10.10  \
  arp_sip 20.20.20.20/255.255.0.0 \
  arp_op reply \
  action drop \
  action goto chain 8100000

Sparx5: Use Lookup 1 or 2 as this is configured with the ARP keyset. The drop action is not available for IS2.

3.7. OAM

This keyset is generated when Ethertype is 0x8809 (Ethernet slow protocols), 0x88ee (MEF 16 E-LMI) or 0x8902 (IEEE 802.1ag Connectivity Fault Management).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 0x8809, vlan_ethtype 0x88ee or vlan_ethtype 0x8902
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 0x8809, vlan_ethtype 0x88ee or vlan_ethtype 0x8902

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

This filter matches on classified VLAN tag, and all supported OAM fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype 0x8809 \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 0x8809 flower skip_sw \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

3.8. MAC_SNAP

This keyset is generated when Ethertype is less than 0x600 and LLC header is a SNAP header (0xaaaa03).

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype snap
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype snap

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

This filter matches on classified VLAN tag, and all supported SNAP fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype snap \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol snap flower skip_sw \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

3.9. MAC_LLC

This keyset is generated when Ethertype is less than 0x600 and LLC header is not a SNAP header.

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 802_2
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 802_2

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

This filter matches on classified VLAN tag, and all supported LLC fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype 802_2 \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802_2 flower skip_sw \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

3.10. MAC_ETYPE

This keyset is generated when frame is not classified to one of the above keys.

Flower key	Value	Example
vlan_id	<VID> or <VID>/<VID_MASK>	vlan_id 1234 or vlan_id 0x100/0xff0
vlan_prio	<PCP> or <PCP>/<PCP_MASK>	vlan_prio 3 or vlan_id 0x0/0x1
vlan_ethtype	<PROTO>	vlan_ethtype 0x892f or vlan_ethtype hsr
src_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00
dst_mac	<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>	dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

Flower key

Value

Example

vlan_id

vlan_id 1234 or vlan_id 0x100/0xff0

vlan_prio

vlan_prio 3 or vlan_id 0x0/0x1

vlan_ethtype

<PROTO>

vlan_ethtype 0x892f or vlan_ethtype hsr

src_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

src_mac 00:33:33:33:33:33 or src_mac 00:33:33:00:00:00/ff:ff:ff:00:00:00

dst_mac

<MAC_ADDR> or <MAC_ADDR>/<MAC_ADDR_MASK>

dst_mac 00:44:44:44:44:44 or dst_mac 00:44:44:00:00:00/ff:ff:ff:00:00:00

This filter matches on classified VLAN tag, and all supported ETYPE fields.

The filter in inserted into chain 8000000 (first lookup), drops all matching packets and goes to second lookup in IS2 (chain 8100000).

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol 802.1q flower skip_sw \
  vlan_id 100 \
  vlan_prio 1 \
  vlan_ethtype hsr \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

Sparx5: The HSR ethtype is not supported. The drop action is not available for IS2.

This filter is the same as above but without VLAN matching.

# tc qdisc add dev eth0 clsact

# tc filter add dev eth0 ingress chain 8000000 prio 10 handle 42 protocol hsr flower skip_sw \
  src_mac 00:33:33:33:33:33 \
  dst_mac 00:44:44:44:00:00/ff:ff:ff:ff:00:00 \
  action drop \
  action goto chain 8100000

3.11. IS2 Actions

The IS2 lookups supports the actions shown in this table. Some actions are only supported on one switch and some action are not available in all lookups.

Flower action	Example	Description	Sparx5	LAN966x
pass	action pass	This is a no-op action.	✔	✔
trap	action trap	Drop the frame and send a copy to the CPU.	✔	✔
drop	action drop	Drop the frame.	✔	✔
police rate <RATE> burst <BURST>	action police rate 100kbit burst 16000	Police the frames to a specific bit rate.	✔	Only Lookup 0
mirror to dev <DEV>	action mirred egress mirror dev eth3	Mirror the frame on monitor port eth3.	✔	✔
redirect to dev <DEV>	action mirred egress redirect dev eth3	Redirect the frame to port eth3.	✔	·
goto chain <CHAIN>	action goto chain 8100000	Which chain to go to after this match. A no-op action in second lookup. In first lookup the chain number is used to match the PAG value that was assigned in the third lookup in the IS1 VCAP.	✔	✔

Flower action

Example

Description

Sparx5

LAN966x

pass

action pass

This is a no-op action.

✔

trap

action trap

Drop the frame and send a copy to the CPU.

✔

drop

action drop

Drop the frame.

✔

police rate <RATE> burst <BURST>

action police rate 100kbit burst 16000

Police the frames to a specific bit rate.

✔

Only Lookup 0

mirror to dev <DEV>

action mirred egress mirror dev eth3

Mirror the frame on monitor port eth3.

✔

redirect to dev <DEV>

action mirred egress redirect dev eth3

Redirect the frame to port eth3.

✔

goto chain <CHAIN>

action goto chain 8100000

Which chain to go to after this match. A no-op action in second lookup. In first lookup the chain number is used to match the PAG value that was assigned in the third lookup in the IS1 VCAP.

✔

3.12. IS2 Status

Use the tc filter show command to see the filter configuration for a specific port.

Add -s to also see the statistics:

# tc -s filter show dev eth2 ingress
  filter protocol all pref 65535 flower chain 1200000
  filter protocol all pref 65535 flower chain 1200000 handle 0x2a
  dst_mac 00:44:44:44:44:44/24
  src_mac 00:33:33:33:33:33/24
  skip_sw
  in_hw in_hw_count 1
  action order 1: gact action goto chain 8000002
  random type none pass val 0
  index 1 ref 1 bind 1 installed 11 sec used 11 sec
  Action statistics:
  Sent 0 bytes 10014 pkt (dropped 0, overlimits 0 requeues 0)
  Sent software 0 bytes 0 pkt
  Sent hardware 0 bytes 10014 pkt
  backlog 0b 0p requeues 0
  used_hw_stats immediate

  filter protocol all pref 100 flower chain 8000002
  filter protocol all pref 100 flower chain 8000002 handle 0xc8
  skip_sw
  in_hw in_hw_count 1
  action order 1:  police 0xa rate 100Mbit burst 16000b mtu 2Kb action reclassify overhead 0b
  ref 2 bind 1  installed 6 sec used 6 sec
  Action statistics:
  Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
  Sent software 0 bytes 0 pkt
  Sent hardware 0 bytes 10000 pkt
  backlog 0b 0p requeues 0
  used_hw_stats immediate

  action order 2: gact action goto chain 8100000
  random type none pass val 0
  index 2 ref 1 bind 1 installed 6 sec used 6 sec
  Action statistics:
  Sent 0 bytes 10000 pkt (dropped 0, overlimits 0 requeues 0)
  Sent software 0 bytes 0 pkt
  Sent hardware 0 bytes 10000 pkt
  backlog 0b 0p requeues 0
  used_hw_stats immediate

First comes information about the filter, then the match and finally the actions including statistics.

The number of frames that has his the filter is shown as Sent hardware 0 bytes 10000 pkt.

Note that the hardware does not support counting the number of bytes and frames dropped by a policer when using IS2.

In the current kernel the same statistics are shown for all actions in a filter. This might change in the future.

The example above also includes a rule in LAN966x IS1, chain 1200000, with a single action goto chain 8000002.