Riccardo,

You're bringing out some VERY nice and interesting info about the hardware processing of frames in C6k5 Thanks for that!

Best regards,

Peter

u r welcome buddy!

As Peter pointed out the BPDU's are always punted to the CPU at  hardware level (referring to port ASIC level) before VACL or Mac ACL are  applied as all ACL logic occurs at EARL level (PFC) but if a packet is  punted to the CPU (the SP component) from the port ASIC it would not go  through Earl at all.

And one more nub question - what about for eg. RECEIVE adjacency in FIB, packets that fit these route  punted to RP from PFC level so PACL/VACL are normally aplied to this traffic cos routed to RP hapens latter than ACL checking - am i right?

Tnx a lot for explanation. So possibility of filtering BPDU with PACL or VACL is platform-dependent, right?

Riccardo Simoni написал(а):
The reason is that the MAC register component looks for the BDPU bit which is set to 1 for BPDUs (and for other L2 PDUs which must be sent to the SP all the time) and punts the frames with such bit to the SP right away.
On the contrary bpdufilter works at that level (MAC register level within port ASIC) and programs this level of hardware to drop frames with such bit set.

Its great explanation, but for my level those things are completely new - my knowledge of input logic of packet threatment is smth like that - input queue ->pfc ->output queue (or MSFC), can u recommend any document for indepth research of process (googling for eg "MAC register component" returns nothing).

Besides "BDPU bit which is set to 1" its meaned fourh bit in most control messages multicast mac?

Hi Alexey,

yes every platform handles the feature differently and for the bpdu bit it is set by 6500 hw to make sure stp and cdp are always punted to the SP; that is why you did not find info in that sense.

About documentation I am afraid there is none that can be found on the internet as this refers to cisco architecture.

R

One more question arised - in the same document Port ACLs (PACLs) and VLAN ACLs (VACLs) stays that

 The port ACL feature is supported only in hardware (port ACLs are not applied to any packets routed in software). 

Is this mean that any packets which matches receive, punt and glean andjacencies will pass PACL without checking?

Besides on following picture

shown that PACL applied before bridging and i can make assumption that decision to punt packet to RP or forward made after PACL aplied so how to distinct on this stage that packet will be afterwards punted to RP and pass it without checking against PACL? Or i made bogus assumption from this picture?

And i never think about this previously - is this any analogy of software switching for bridging packets? Control packets of L2 protocols which directed to device itself (CDP, DTP, STP and etc.) can it be said that those packets match receive adjacency or those terms only  can be applied to L3 packets? For eg. as you previously clarified to me Catalyst 6500 redirects those packets directly from port ASIC, but for those platforms having different architecture eg. 3560, 2950 -  them don’t punt control packets from MAC register level, than those control packets directed to some ASIC responsible for bridging (those ASIC use TCAM as i understand) and there in TCAM stays that those dest macs (01-00-0C-CC-CC-CC for eg.) matches smth like "receive adjacency" and from there those packets punted to SP?

Thanks in advance!