摘要:
Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, and mechanisms, for policy-based processing of packets, including mechanisms for managing the policies. A user is authenticated and its user group identifier is identified. A packet is received and is associated with the user group identifier, and one or more fields (typically other than the source address field) of the packet are used to identify a second group identifier. A lookup operation is then performed on a policy based on the first and second group identifiers to identify a packet processing action to be performed on the packet. These identifiers are typically not network addresses, which disassociates the policy from physical network addresses (which often are dynamically assigned and may also vary based on the access point into the network of a user), and allows a switching device to process packets based on a policy stated using group identifiers.
摘要:
Methods, apparatus, and other mechanisms are disclosed for generating accounting or other data based on that indicated in access control lists or other specifications, and typically using associative memory entries in one or more associative memory banks and/or memory devices. One implementation identifies an access control list including multiple access control list entries, with a subset of these access control list entries identifying accounting requests. Accounting mechanisms are associated with each of said access control list entries in the subset of access control list entries identifying accounting requests. An item is identified, and a corresponding accounting mechanism is updated. In one implementation, the item includes at least one autonomous system number. In one implementation, at least one of the accounting mechanisms is associated with at least two different access control list entries in the subset of access control list entries identifying accounting requests.
摘要:
Methods and apparatus are disclosed for performing lookup operations using associative memories, including, but not limited to modifying search keys within an associative memory based on modification mappings, forcing a no-hit condition in response to a highest-priority matching entry including a force no-hit indication, selecting among various sets or banks of associative memory entries in determining a lookup result, and detecting and propagating error conditions. In one implementation, each block retrieves a modification mapping from a local memory and modifies a received search key based on the mapping and received modification data. In one implementation, each of the associative memory entries includes a field for indicating that a successful match on the entry should or should not force a no-hit result. In one implementation, an indication of which associative memory blocks or sets of entries to use in a particular lookup operation is retrieved from a memory.
摘要:
Fields of entries are mapped into new values with these mapped values combined into mapped entries for use in lookup operations typically for packet processing. One implementation identifies a list including multiple items each having a first field and a second field. The unique first and second fields of each item are respectively mapped to mapped first and second fields. A first associative memory is programmed with the unique first fields, and a first stage memory is programmed with the mapped first fields at corresponding locations. A second associative memory is programmed with the unique second fields, a second stage memory is programmed with the mapped second fields at corresponding locations. A second stage associative memory is then programmed, using the mapped first and second fields, with entries corresponding to one or more of the original multiple items.
摘要:
Methods, apparatus, and other mechanisms are disclosed for merging lookup results, such as from one or more associative memory banks and/or memory devices. In one exemplary implementation, multiple associative memories or associative memory banks are configured to substantially simultaneously generate a plurality of lookup results based on a lookup value. Multiple memories are each configured to generate a corresponding result based on the lookup result generated by its corresponding associative memory or associative memory bank. A combiner is configured to receive and merge these corresponding results generated substantially simultaneously in order to identify the merged lookup result.
摘要:
Methods, apparatus, and other mechanisms are disclosed for merging lookup results, such as from one or more associative memory banks and/or memory devices. An access list is identified. A first set of entries corresponding to a first feature of the access control list entries and a second set of entries corresponding to a second feature of the access control list entries are identified. First and second associative memory banks are programmed respectively based on the first and second sets of entries. Lookup operations are then typically performed substantially simultaneously on the first and second sets of associative memory entries programmed in the associative memory banks to generate multiple lookup results, with these results typically being identified directly, or via a lookup operation in an adjunct memory or other storage mechanism. These lookup results are then combined to generate a merged lookup result.
摘要:
Methods and apparatus are disclosed for performing lookup operations using associative memories, including, but not limited to modifying search keys within an associative memory based on modification mappings, forcing a no-hit condition in response to a highest-priority matching entry including a force no-hit indication, selecting among various sets or banks of associative memory entries in determining a lookup result, and detecting and propagating error conditions. In one implementation, each block retrieves a modification mapping from a local memory and modifies a received search key based on the mapping and received modification data. In one implementation, each of the associative memory entries includes a field for indicating that a successful match on the entry should or should not force a no-hit result. In one implementation, an indication of which associative memory blocks or sets of entries to use in a particular lookup operation is retrieved from a memory.
摘要:
Methods and apparatus are disclosed for defining and using associative memory entries with force no-hit and priority indications of particular use in implementing policy maps in communication devices. In one use, a set of entries is determined based on a policy map with a force no-hit indication being associated with one or more of the entries. Additionally, programmable priority indications may be associated with one or more of the entries, or with the associative memory devices, associative memory banks, etc. The force no-hit indications are often used in response to identified deny instructions in an access control list or other policy map. A lookup operation is then performed on these associative memory entries, with highest matching result or results identified based on the programmed and/or implicit priority level associated with the entries, or with the associative memory devices, associative memory banks, etc.
摘要:
A context vector, typically used in a lookup operation of an associative memory, is generated based on a context of a received packet and the packet itself. In one implementation, multiple interfaces can share a common access control list as the context vector provides an indication of the result of unique processing required because of varying contexts, such as, but not limited to different interfaces, source addresses, and virtual network addresses. One implementation includes an input interface circuitry, a context indicator generator, a lookup word field generator, and an associative memory. The context indicator generator generates a context vector corresponding to a characteristic of the input interface circuitry. The lookup word field generator generates one or more lookup word vectors based on the packet. The associative memory performs a lookup operation based on the context vector and lookup word vectors.
摘要:
A hardware search engine facility is provided to allow CPU search and update of a Forwarding Table CAM under the control of software running on the CPU. The hardware search engine provides one or more comparand-mask pairs which allow for a match, exclusion or magnitude comparison on specific entry values and/or the option to ignore or “don't care” certain bits of the entry. Control registers may be set in software to specify a start address and stop address in the CAM for the search. An indication of valid or invalid entries may be provided as well. Once the search is initiated by software, the search engine will read the entries sequentially starting from the programmed start address. It will perform a compare using the comparand-mask pair and attempt to identify a match. The locations in the CAM which match the search criteria may be put into a CPU-accessible memory. If the memory fills up before it can be read by the software, the search may be halted until the memory is emptied. A programmable action may instead, or in addition, be set to take place in the event of a match. Such programmable actions may include, but are not limited to, marking the entry, deleting the entry, change status bits corresponding to the entry, rewriting some of the entry, and the like.