KSZ8795CLX
3.6.11.1
Authentication Register and Programming Model
The port authentication control registers define the control of port-based authentication. The per-port authentication can
be programmed in these registers. KSZ8795CLX provides three modes for implementing the IEEE 802.1x feature. Each
mode can be selected by setting the appropriate bits in the port authentication registers.
When mode control bits AUTHENCIATION_MODE = 00 (pass mode), forced-authorization is enabled and a port is
always authorized and does not require any messages from either the supplicant or the authentication server. This is
typically the case when connecting to another switch, a router, or a server, and also when connecting to clients that do
not support 802.1X. When ACL is enabled, all the packets are passed if they miss ACL rules, otherwise, ACL actions
apply.
The block mode (when AUTHENCIATION_MODE = 01) is the standard port-based authentication mode. A port in this
mode sends EAP packets to the supplicant and will not become authorized unless it receives a positive response from
the authentication server. Traffic is blocked before authentication to all of the incoming packets, upon authentication,
software will switch to pass mode to allow all the incoming packets. In this mode, the source address of incoming pack-
ets is not checked. Including the EAP address, the forwarding map of the entire reserved multicast addresses need to
be configured to be allowed to be forwarded before and after authentication in lookup table. When ACL is enabled, pack-
ets except ACL hit are blocked.
The third mode is trap mode (when AUTHENTICATION_MODE = 11'b). In this mode, all the packets are sent to CPU
port. If ACL is enabled, the missed packets would be forwarded to the CPU rather than dropped. All these per port fea-
tures can be selected through the Port Control 5 register, Bit[2] is used to enable ACL, Bits[1:0] is for the modes
selected.
3.6.12
ACL FILTERING
Access control lists (ACL) can be created to perform the protocol-independent Layer 2 MAC, Layer 3 IP, or Layer 4 TCP/
UDP ACL filtering that filters incoming Ethernet packets based on ACL rule table. The feature allows the switch to filter
customer traffic based on the source MAC address in the Ethernet header, the IP address in the IP header, and the port
number and protocol in the TCP header. This function can be performed through MAC table and ACL rule table. Besides
multicast filtering handled using entries in the static table, ACLs can be configured for all routed network protocols to
filter the packets of those protocols as the packets pass through the switch. ACLs can prevent certain traffic from enter-
ing or exiting a network.
3.6.12.1
Access Control Lists
The KSZ8795CLX offers a rule-based ACL rule table. The ACL rule table is an ordered list of access control entries.
Each entry specifies certain rules (a set of matching conditions and action rules) to permit or deny the packet access to
the switch fabric. The meaning of ‘permit’ or ‘deny’ depends on the context in which the ACL is used. When a packet is
received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet
has the permissions required to be forwarded, based on the conditions specified in the lists.
The filter tests the packets against the ACL entries one-by-one. Usually the first match determines whether the router
accepts or rejects packets. However, it is allowed to cascade the rules to form more robust and/or stringent requirements
for incoming packets. ACLs allow switch filter ingress traffic based on the source, destination MAC address and Ethernet
Type in the Layer 2 header, the source, and destination IP address in Layer 3 header, and port number, protocol in the
Layer 4 header of a packet.
Each list consists of three parts:
• Matching Field
• Action Field
• Processing Field
The matching field specifies the rules that each packet matches against and the action field specifies the action taken
if the test succeeds against the rules. Figure 3-11 shows the format of ACL and a description of the individual fields.
DS00002112A-page 42
2016 Microchip Technology Inc.
MICREL [ MICREL SEMICONDUCTOR ]
