Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

Aruba 3810M and Hardware based ACLs

Hi community,

I was looking for some information about how ACLs are implemented in Aruba 3810M switch. I want to know if they are hardware-based and wirespeed ACLs but no documentation about it.

The only document I have found on Internet is the next one that talks about "How Hardware-Based ACLs Work" for old Procurve routing switches 9300:

 

ftp://ftp.hp.com/pub/networking/software/59906030-e1.pdf

 

Can anybody give me a hand?

Regards

 


PS: If you feel this information is useful and solved your question or problem, please do not forget to mark it as a solution and give me some kudos.

Accepted Solutions
Highlighted
Aruba Employee

Re: Aruba 3810M and Hardware based ACLs

Hi N3tw0rk3r,

 

The 2910/2920/3500/5400/8200/5400R platforms use a TCAM (Ternary Content Addressable Memory) to implement ACLs.
This area in hardware allows many fields in a packet to be compared at once.

 

The 3810/5400R v3 modules contain an egress CAM. This is a separate CAM from the ingress CAM on the module and will perform egress filtering separate from the ingress CAM. The capabilities of the egress are the same as the ingress CAM with the following exceptions:
• Egress CAM supports a smaller number of entries.
• Actions of mirroring and remarking are not supported.
• Packets cannot be copied

 

Hope this helps

View solution in original post


All Replies
Highlighted
Aruba Employee

Re: Aruba 3810M and Hardware based ACLs

Hi, check for the Security Guide at http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00038700en_us-1.pdf

 

The hardware (TCAM) resources used by the ACLs configured on the switch are 4 of 8 Policy Engine management resources.

Resource usage includes resources actually in use, or reserved for future use by the listed feature. Internal dedicated-purpose resources, such as port bandwidth limits or VLAN QoS priority, are not included.

 

I think ACL wirespeed can be matched with switching capacity non-blocking.


*
If it helps please add Kudos

-Pepe
Highlighted
Aruba Employee

Re: Aruba 3810M and Hardware based ACLs

Hi, The 2540, 2930, 3810 and 5400v3 series switches use hardware based ACL's. The ACE's are typically stored in a TCAM which is part of the ASIC.

Hope this helps.

Highlighted

Re: Aruba 3810M and Hardware based ACLs

Hi Dik,

Thanks for your answer.

I read a document somewhere that told 3810M uses CAM to store ACEs instead of TCAM.

As far as I know, CAM and TCAM are different types of memory, but basically, they are hadware based. In fact, some of the models that you mentioned use TCAM and other models use CAM to implement ACLs and QoS.

Can you confirm that 3810M uses CAM to implement ACLs and QoS in hardware?

Kind regards


PS: If you feel this information is useful and solved your question or problem, please do not forget to mark it as a solution and give me some kudos.
Highlighted
Aruba Employee

Re: Aruba 3810M and Hardware based ACLs

Hi N3tw0rk3r,

 

The 2910/2920/3500/5400/8200/5400R platforms use a TCAM (Ternary Content Addressable Memory) to implement ACLs.
This area in hardware allows many fields in a packet to be compared at once.

 

The 3810/5400R v3 modules contain an egress CAM. This is a separate CAM from the ingress CAM on the module and will perform egress filtering separate from the ingress CAM. The capabilities of the egress are the same as the ingress CAM with the following exceptions:
• Egress CAM supports a smaller number of entries.
• Actions of mirroring and remarking are not supported.
• Packets cannot be copied

 

Hope this helps

View solution in original post