Support User Manuals

Intel IXP400 Frozen Dessert Maker User Manual

Open as PDF

of 364

Intel

®

IXP400 Software

Access-Layer Components: Ethernet Database (IxEthDB) API

Programmer’s Guide IXP400 Software Version 2.0 April 2005

Document Number: 252539, Revision: 007 161

FCS, for example) that causes the frame to exceed the maximum frame size, the frame will not

be transmitted. The TxLargeFramesDiscard counter will be incremented (see Chapter 9).

The maximum supported value is 16,320 bytes. For purposes of clarification, the number of bytes

making up the Maximum Frame Size value is the Ethernet MSDU (Media Service Data Unit) and

defined as the sum of the sizes of:

• the Ethernet header: dest MAC + src MAC + VLAN Tag and/or length/type field

• the Ethernet payload

• the Ethernet frame check sequence (FCS), if not stripped out by

IxEthAccPortRxFrameFcsDisable().

10.3.2.1 Filtering Example Based Upon Maximum Frame Size

On a system with three ports (0, 1, 2), execute:

The NPE on Ports 0 and 1 will filter all Rx frames over 9,014 bytes.

A frame of 1,000 bytes is received on Port 2. The NPE will determine the destination port based on

learned MAC address, and:

• If the port is unknown, process the frame.

• If the destination port is 0 or 1, process the frame.

• If the port is 2, drop the frame according to the normal MAC filtering rules.

A frame of 3,000 bytes is received on Port 2, it will be dropped according to the frame size setting.

10.3.3 Source MAC Address Firewall

The Ethernet NPE firmware provides three firewall-related services, each of which is capable of

filtering a frame based on the value of its source MAC address field:

• Invalid MAC address filtering

• MAC address block (black list)

• MAC address admission (white list)

This feature is dependent on the run-time NPE configuration and specific NPE image capabilities,

described in “Feature Set” on page 178 and Chapter 14). Each NPE supporting this feature can be

configured independently of the others.

MAC Address Block/Admission

IxEthDB supports per-NPE MAC address-based firewall lists and provides the API to add/remove

these MAC addresses, as well as to configure the NPE firewall. There are two firewall operating

modes:

ixEthDBFilteringPortMaximumFrameSizeSet(0, 9014);

ixEthDBFilteringPortMaximumFrameSizeSet(1, 9014);

ixEthDBFilteringPortMaximumFrameSizeSet(2, 1514).

previous next