Monday, March 9, 2009

DHCP Snooping & the TCAM ACL table

While playing with DHCP snooping on a ME-3400 switch (that shouldn't be different from a 3560/3750), i found out the following interesting information.

When you enable DHCP snooping, 3 special acl entries are created dynamically into the TCAM ACL table. These are defined as L3 Input and you can check them out by using the following command :


switch#sh platform tcam table acl | i 43
58 40_00000000_00000000-00_40000043_00430000 0000001F L3 Input
60 40_00000000_00000000-00_40000044_00430000 0000001F L3 Input
62 40_00000000_00000000-00_40000043_00440000 0000001F L3 Input


43 in hex is 67 in dec, which is the udp port a bootp/dhcp server listen to.
44 in hex is 68 in dec, which is the udp port a bootp/dhcp client sends from.

You can also see more details about these tcam entries by specifying the index number and adding the detail keyword :


switch#sh platform tcam table acl index 58 detail

=============================================================================
ACL Cam Table (#entries: 8192, startIndex: 13696)

Index ACL CAM Table ACL
-----------------------------------------------------------------------------
mask-> F0_00000000_00000000-00_C000FFFF_FFFF0000
58 40_00000000_00000000-00_40000043_00430000 0000001F

l3CamInputAclDescriptor Value Mask
-----------------------------------------------------------------------------
lookupType: 4 F
cos: 0 0
inputAclType: 0 0
l3Destination: 00.00.00.00 00.00.00.00
l3Source: 00.00.00.00 00.00.00.00
inputAclLabel: 0 0
l4Select: 1 3
l3DontFragment: 0 0
l3MoreFragments: 0 0
l3SmallOffset: 0 0
l3NotFirstFragment: 0 0
l3ReservedFlag: 0 0
l2Bcast: 0 0
l3Dscp: 0 0
l3TosReserved: 0 0
l4Destination: 43 FFFF
l4Source: 43 FFFF
l4Map: 0 0

AclDescriptor
-----------------------------------------------------------------------------
aclStatisticsIndex: 0
aclLogIndex: 0
denyRoute: 0
denyBridge: 0
spanDest0En: 0
spanDest1En: 0
redirectIndex: 1F


switch#sh platform tcam table acl index 60 detail

=============================================================================
ACL Cam Table (#entries: 8192, startIndex: 13696)

Index ACL CAM Table ACL
-----------------------------------------------------------------------------
mask-> F0_00000000_00000000-00_C000FFFF_FFFF0000
60 40_00000000_00000000-00_40000044_00430000 0000001F

l3CamInputAclDescriptor Value Mask
-----------------------------------------------------------------------------
lookupType: 4 F
cos: 0 0
inputAclType: 0 0
l3Destination: 00.00.00.00 00.00.00.00
l3Source: 00.00.00.00 00.00.00.00
inputAclLabel: 0 0
l4Select: 1 3
l3DontFragment: 0 0
l3MoreFragments: 0 0
l3SmallOffset: 0 0
l3NotFirstFragment: 0 0
l3ReservedFlag: 0 0
l2Bcast: 0 0
l3Dscp: 0 0
l3TosReserved: 0 0
l4Destination: 44 FFFF
l4Source: 43 FFFF
l4Map: 0 0

AclDescriptor
-----------------------------------------------------------------------------
aclStatisticsIndex: 0
aclLogIndex: 0
denyRoute: 0
denyBridge: 0
spanDest0En: 0
spanDest1En: 0
redirectIndex: 1F


switch#sh platform tcam table acl index 62 detail

=============================================================================
ACL Cam Table (#entries: 8192, startIndex: 13696)

Index ACL CAM Table ACL
-----------------------------------------------------------------------------
mask-> F0_00000000_00000000-00_C000FFFF_FFFF0000
62 40_00000000_00000000-00_40000043_00440000 0000001F

l3CamInputAclDescriptor Value Mask
-----------------------------------------------------------------------------
lookupType: 4 F
cos: 0 0
inputAclType: 0 0
l3Destination: 00.00.00.00 00.00.00.00
l3Source: 00.00.00.00 00.00.00.00
inputAclLabel: 0 0
l4Select: 1 3
l3DontFragment: 0 0
l3MoreFragments: 0 0
l3SmallOffset: 0 0
l3NotFirstFragment: 0 0
l3ReservedFlag: 0 0
l2Bcast: 0 0
l3Dscp: 0 0
l3TosReserved: 0 0
l4Destination: 43 FFFF
l4Source: 44 FFFF
l4Map: 0 0

AclDescriptor
-----------------------------------------------------------------------------
aclStatisticsIndex: 0
aclLogIndex: 0
denyRoute: 0
denyBridge: 0
spanDest0En: 0
spanDest1En: 0
redirectIndex: 1F


All the above values are in hex and with a little bit of experimenting (and guessing), you'll find that :

l3Destination is the destination ip address
l3Source is the source ip address
l4Select is the L4 protocol (1=udp, 2=tcp)
l4Destination is the destination port
l4Source is the source port

Mask is used to define the (don't)care bits, which are also used in ACL construction.
Since mask 3 is used for the l4Select value, i guess we do care only about the last 2 bits (11 in bin = 3 in hex) of this field. Mask FFFF, which is used for the src/dst ports, means that we care about all bits (values 0-65535).

So the above 3 tcam entries get actually translated to:


udp any eq 67 any eq 67
udp any eq 67 any eq 68
udp any eq 68 any eq 67

According to the DHCP snooping operation, the 1st (which seems a little bit strange) and 2nd entry should be somehow used on the trusted ports (DHCP servers), while the 3rd entry should be used on the untrusted ports (DHCP clients).

What i haven't figured out yet, is how these special acl entries are actually used. Imho, it looks like an acl used for matching traffic, like the one you use under class maps in QoS. Also, IP Source Guard and Dynamic ARP Inspection might use these as well.

5 comments:

  1. nice find. I'll give it a try on my equipment as well.

    ReplyDelete
  2. I wonder whether the redirectIndex value is significant?

    I recall in the Private Hosts feature docs there was a strange but unexplained mention of a Redirect ACL being used on a port ACL - but there is no user configurable redirect ACL command I know of.

    Anyway, just a wild guess :-)

    http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/pvthost.html

    redirect any host FFFF.FFFF.FFFF to LTLIndex 6

    ReplyDelete
  3. Oliver, they could be somehow related (although DHCP snooping on 6500 works a little bit different, because it needs an SVI for the vlan being snooped).

    But in both cases on the 6500 (DHCP snooping & Private Hosts) it seems that intercepted packets are redirected to a LTL (Local Target Logic) Index by using a hardware ACL.

    ReplyDelete
  4. Hey Tassos, this redirectIndex sends DHCP packets to the CPU host queue as you will see with 'sh plat port-asic dest-map index 0x1f'

    ReplyDelete
  5. Thanks a lot for the hint Phil.

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.