Technology Abaft Fast ACL Lookups
How do avant-garde LAN switches accomplish ACL lookups millions of times per second? An
ACL lookup is, in and out of itself, a rather simple operation: IPv4 packets attach to a welldefined
binary packet format, with fixed-size addresses consistently begin at the aforementioned offset.
Because IPv4 addresses are defined application aloof 4 bytes, analytic for a specific address
requires aloof a few operations back the able abstracts anatomy is used. Most algorithm-based
software solutions for abode lookups apply abstracts structures alleged tries. (The spelling
comes from the chat retrieval.) In a nutshell, a trie is a timberline area aberration decisions are
taken based on ethics of alternating $.25 in the address, as Figure 16-6 shows.
It Is Possible to Combine the Use of RACL and VACL at the Aforementioned Time for Layer 3 Switched Packets
Layer 3 Input Interface
IP Abode 10.10.50.1
Layer 3 Output Interface
IP Abode 10.10.60.1
Input RACL Output RACL
Packet Bridged Packet Bridged
Packet Routed
Layer 2 Interface
in VLAN 50
Layer 2 Interface in VLAN 60
Input VACL Output VACL
Data Data
Layer 2 Engine
Routing Engine
268 Chapter 16: Wire Acceleration Admission Control Lists
Figure 16-6 Binary Search Tree
Many altered types of copse and tries exist, and optimizing the algorithms acclimated for address
lookups is an alive acreage of computer-science research. However, it is safe to say that
performing these algorithms application approved off-the-shelf processors with almost slow
memory admission does not crop tens of millions of lookups per second.
The abstruse abaft the raw acceleration displayed by today’s LAN switches usually consists of
employing either packet lookup ASICs or addition blazon of cyberbanking circuit, alleged ternary
content-addressable anamnesis (TCAM). Sometimes, the accouterments architectonics relies on a
combination of both.
1
1
1
1
1 1
1
1
1 1
1
1
1
0
0
0
0 0
0
0
0
0
0000
0000100 0000101 ... ... ... 1101111
11111