KSZ8795CLX
- Group of rules to be qualified, there are 16 entries rule can be assigned to a rule set per port by the two rule-
set registers. The rule table allows the rules to be cascaded. There are 16 entries in the RTB. Each entry can
be a rule on its own, or can be cascaded with other entries to form a rule set. The test result of incoming pack-
ets against rule set will be the AND’ed result of all the test result of incoming packets against the rules
included in this rule set. The action of the rule set will be the action of the first rule specified in FRN field. The
rule with higher priority will have lower index number. Or rule 0 is the highest priority rule and rule 15 is the
lowest priority. ACL rule table entry is disabled when mode bits are set to 2’b00.
A rule set (RULESET) is used to select the match results of different rules against incoming packets. These
selected match results will be AND’ed to determine whether the frame matches or not. The conditions of dif-
ferent rule sets having the same action will be OR’ed for comparison with frame fields, and the CPU will pro-
gram the same action to those rule sets that are to be OR’ed together. For matched rule sets, different rule
sets having different actions will be arbitrated or chosen based upon the first rule number (FRN) of each rule
set. The rule table will be set up with the high priority rule at the top of the table or with the smaller index.
Regardless whether the matched rule sets have the same or different action, the hardware will always com-
pare the first rule number of different rule sets to determine the final rule set and action.
3.6.12.2
DOS Attack Prevention via ACL
The ACL can provide certain detection/protection of the following denial of service (DoS) attack types based on rule
setting, which can be programmed to drop or not to drop each type of DoS packet respectively.
Example 1
When MD = 10, ENABLE = 10, setting EQ bit to 1 can determine the drop or forward packets with identical source and
destination IP addresses in IPv4/IPv6.
Example 2
When MD = 11, ENABLE = 01/10, setting EQ bit to 1 can determine the drop or forward packets with identical source
and destination TCP/UDP Ports in IPv4/IPv6.
Example 3
When MD = 11, ENABLE = 11, Sequence Number = 0, FME = 1, FMSK = 00101001, FLAG = xx1x1xx1, Setting the EQ
bit to 1 will drop/forward the all packets with a TCP sequence number equal to 0, and flag bit URG = 1, PSH = 1 and
FIN = 1.
Example 4
When MD = 11, ENABLE = 01, MAX Port = 1024, MIN Port = 0, FME = 1, FMSK = 00010010, FLAG = xxx0xx1x, Setting
the EQ bit to 1 will drop/forward the all packets with a TCP Port number ≤ 1024, and flag bit URB = 0, SYN = 1.
ACL related registers list as:
• The Register 110 (0x6E), the Register 111 (0x6F) and the ACL rule tables.
2016 Microchip Technology Inc.
DS00002112A-page 45
MICREL [ MICREL SEMICONDUCTOR ]
