KSZ8795CLX
3.6.9.3
Transmit Queue Ratio Programming
In transmit queues 0-3 of the egress port, the default priority ratio is 8:4:2:1. The priority ratio can be programmed by
the Port Control 10, 11, 12, and 13 registers. When the transmit rate exceeds the ratio limit in the transmit queue, the
transmit rate will be limited by the transmit queue 0-3 ratio of the Port Control 10, 11, 12, and 13 registers. The highest
priority queue will not be limited. Other lower priority queues will be limited based on the transmit queue ratio.
3.6.10
VLAN AND ADDRESS FILTERING
To prevent certain kinds of packets that could degrade the quality of the switch in applications such as voice over internet
protocol (VoIP), the switch provides the mechanism to filter and map the packets with the following MAC addresses and
VLAN IDs.
• Self-address packets
• Unknown unicast packets
• Unknown multicast packets
• Unknown VID packets
• Unknown IP multicast packets
The packets sourced from switch itself can be filtered out by enabling self-address filtering via the Global Control 18
Register Bit[6]. The self-address filtering will filter packets on the egress port; self MAC address is assigned in the Reg-
ister 104-109 MAC Address Registers 0-5.
The unknown unicast packet filtering can be enabled by the Global Control Register 15 Bit[5] and Bits[4:0] specify the
port map for forwarding.
The unknown multicast packet filtering can be enabled by the Global Control Register 16 Bit[5] and forwarding port map
is specified in Bits[4:0].
The unknown VID packet filtering can be enabled by Global Control Register 17 Bit[5] with forwarding port map specified
in Bits[4:0].
The unknown IP multicast packet filtering can be enable by Global Control Register 18 Bit[5] with forwarding port map
specified in Bits[4:0].
Those filtering above are global based.
3.6.11
802.1X PORT-BASED SECURITY
IEEE 802.1x is a port-based authentication protocol. EAPOL is the protocol normally used by the authentication process
as an uncontrolled port. By receiving and extracting special EAPOL frames, the microprocessor (CPU) can control
whether the ingress and egress ports should forward packets or not. If a user port wants service from another port
(authenticator), it must get approved by the authenticator. The KSZ8795CLX detects EAPOL frames by checking the
destination address of the frame. The destination addresses should be either a multicast address as defined in IEEE
802.1x (01-80-C2-00-00-03) or an address used in the programmable reserved multicast address domain with offset -
00-03. Once EAPOL frames are detected, the frames are forwarded to the CPU so it can send the frames to the authen-
ticator server. Eventually, the CPU determines whether the requestor is qualified or not based on its MAC_Source
addresses, and frames are either accepted or dropped.
When the KSZ8795CLX is configured as an authenticator, the ports of the switch must then be configured for authori-
zation. In an authenticator-initiated port authorization, a client is powered up or plugs into the port, and the authenticator
port sends an extensible authentication protocol (EAP) PDU to the supplicant requesting the identification of the suppli-
cant. At this point in the process, the port on the switch is connected from a physical standpoint; however, the 802.1X
process has not authorized the port and no frames are passed from the port on the supplicant into the switching fabric.
If the PC attached to the switch did not understand the EAP PDU that it was receiving from the switch, it would not be
able to send an ID and the port would remain unauthorized. In this state, the port would never pass any user traffic and
would be as good as disabled. If the client PC is running the 802.1X EAP, it would respond to the request with its con-
figured ID. This could be a user name/password combination or a certificate.
After the switch, the authenticator receives the ID from the PC (the supplicant). The KSZ8795CLX then passes the ID
information to an authentication server (RADIUS server) that can verify the identification information. The RADIUS
server responds to the switch with either a success or failure message. If the response is a success, the port will then
be authorized and user traffic will be allowed to pass through the port like any switch port connected to an access device.
If the response is a failure, the port will remain unauthorized and, therefore, unused. If there is no response from the
server, the port will also remain unauthorized and will not pass any traffic.
2016 Microchip Technology Inc.
DS00002112A-page 41
MICREL [ MICREL SEMICONDUCTOR ]
