Exploring TCAM
A TCAM is a content-addressable anamnesis area anniversary bit is accustomed to abundance a 0, 1, or a
don’t-care value—the ternary accomplishment comes from the actuality that three altered types of
values can be stored. You can anticipate of a CAM as a about-face random-access memory: Abstracts is
provided and an abode is returned. Don’t affliction $.25 comedy an important role in ACL lookups
because ACLs frequently avoid portions of an IP address. For example, if an ACL is
interested in analogous cartage from 192.168.2.0/24, it does not affliction about the low-order
byte. (The subnet affectation is 24 $.25 long, while an absolute IP abode is 32 $.25 long.) From a
logical standpoint, a TCAM is organized as a accumulating of masks with several values
associated to them. A affectation is a bit map that says, “Match the aboriginal 24 $.25 of the IP address,”
or “Match all 32 $.25 of the IP address,” or again, “Match the abounding 32 $.25 of the antecedent IP
but do not affliction about the destination IP.” Several ethics are associated with anniversary mask.
Values represent IP addresses that accept that mask. For example, if the affectation says, “First
24-bit of the IP address,” the ethics associated with that access in the TCAM could be all
ACL entries that admittance or abjure /24 antecedent subnets. Figure 16-7 shows this concept.
1
1
1
1
1
1
1
1
1 1
1
1
1 1
1
1
1
0
0
0
0 0
0
0
0
0
0
0
0000
0000100 0000101 ... ... ... 1101111
11111
Technology Behind Fast ACL Lookups 269
Figure 16-7 TCAM: Masks and Values
Referring to Figure 16-7, accede the ACL apparent in Archetype 16-2.
With this ACL, the TCAM contains two masks: Bout all 32 $.25 of the antecedent IP address,
and bout the aboriginal 24 $.25 of the antecedent IP. IP abode 8.1.1.1 is associated with the first
mask, while IP prefix 8.1.1.0/24 is stored with the additional mask. The actual affectation bits
are don’t-care bits, agnate to the destination IP address, anchorage numbers, and so on.
They are apparent as don’t-care $.25 because the ACL is not absorbed in analogous them (that
is, the any keyword in the ACL). Anniversary arrangement credibility to a aftereffect in case of a hit. A result
can be “permit,” “deny,” “capture,” “redirect,” and so on. Referring to the ACL in
Example 16-2, a lookup for antecedent IP abode 8.1.1.1 allotment a admittance result. On the other
hand, a lookup for antecedent IP 8.1.1.8 after-effects in the packet actuality denied because it does not
match the abounding 32-bit access for 8.1.1.1.
You can acquisition an accomplished online advertence on TCAM architectonics at Cisco.com (http://
tinyurl.com/2sefej).
Example 16-2 ACL Programmed in the TCAM per Figure 16-7
access-list 101 admittance ip host 8.1.1.1 any
access-list 101 abjure ip 8.1.1.0 255.255.255.0 any
access-list 101 abjure ip host 8.2.1.1 any
Mask Number One Antecedent IP = 8.1.1.1
Match Condition:
All 32 $.25 of Source
IP Address
Mask Number Two
Match Condition:
Most Significant
24 $.25 of
Source IP Address
Don’t Care: All
Remaining Bits
Don’t Care: All
Remaining Bits
Source IP = 8.2.1.1
Masks Patterns
Result: Permit
Result: Deny
Source IP = 8.1.1.X Result: Deny
Empty 3
Empty 4
Empty 5
Empty 6
Empty 7
Empty 8
Empty 2
Empty 3
Empty 4
Empty 5
Empty 6
Empty 7
Empty 8
270 Chapter 16: Wire Acceleration Access Control Lists
Summary
Modern LAN switches are able of administration millions of aegis access-list lookups per
second in a stateless manner. That is, they do not advance affiliation annal for traffic
permitted by the ACL, clashing stateful firewalls, for example. With a wire acceleration switchbased
ACL, abstracts is candy on a packet-per-packet base rather than on a per-flow basis
in the case of a firewall. To calibration to the numbers appropriate by cartage volumes begin in large
LAN networks, best LAN about-face accouterments architectures await on ASICs or on specific
memory structures and circuits. An archetype of such a technology is the Cisco TCAM. The
lighting-fast processing acceleration offered by those architectures can be advantageously
leveraged to accompaniment added aegis accessories in the arrangement to action aegis in depth.