Filter
Top Products
Intel
®
IXP400 Software
Access-Layer Components: Ethernet Database (IxEthDB) API
April 2005 IXP400 Software Version 2.0 Programmer’s Guide
162 Document Number: 252539, Revision: 007
• allow / white list state – only incoming packets with a source MAC addresses found in the
firewall list are allowed
• deny / black list state – all incoming packets are allowed except for those whose source
address is found in the firewall list.
The firewall lists support a maximum of 31 addresses. This feature is disabled by default and there
are no pre-defined firewall records. When enabled, it operates in black list mode until reconfigured.
The firewall feature can be freely turned on or off and reconfigured at run time.
IxEthDB contains an Ethernet Firewall Database that contains MAC address / port ID records for
this firewall feature. MAC addresses are unique database keys only within the configuration data of
each port. Multiple ports can use the same MAC address entry if individually added to each port.
Also, the firewall records are independent of the XScale Learning/Filtering Database and other
databases within IxEthDB. Once configured, the API is used to download a firewall filtering table
to the NPE.
A typical usage scenario of this feature would consist of the following steps:
1. Enable the IX_ETH_DB_FIREWALL feature
2. Set the firewall operating mode (white list or black list)
3. Add addresses to be blocked (black list mode) or specifically allowed (white list mode)
4. Download the firewall configuration data using ixEthDBFirewallTableDownload(port)
Invalid MAC Address Filtering
According to IEEE802, it is illegal for the source address of an Ethernet frame to be either a
broadcast address or a multicast address. These broadcast/multicast addresses are distinguished by
the value of their first bit (i.e., the least significant bit of the first byte). If the first bit of the MAC
address is 1, the MAC address is either a broadcast or multicast address.
IxEthDB can be used to enable invalid source MAC address filtering in the NPE. When this feature
is enabled, the NPE will inspect the source MAC address of incoming packets and drop packets
whose source MAC address is a multicast or broadcast address. IxEthDB disables this feature by
default.
10.3.4 802.1Q VLAN
The IxEthDB component provides support for VLAN features when using NPE microcode images
that include VLAN support. All the major VLAN features defined in IEEE 802.1Q are supported.
These include:
• Acceptable frame type filtering for each ingress port
• VLAN tagging and tag removal for each ingress and egress port
• VLAN membership filtering for each ingress port
• VLAN tagging and tag removal control for individual egress packets
• Support for a maximum of 4095 VLAN groups
This feature makes heavy use of the IX_OSAL_MBUF header flag fields to allow a client
application to make VLAN-based processing decisions. Their NPE behavior for these header fields
is documented in this section. However, refer to Chapter 9 for a more comprehensive
understanding of the data path.