Examples: Variable-Sized CAM Classification for IPv6 Policies

Variable-sized CAM entries are supported for IPv6 policies to avoid wasting memory space. For example, if the classifier entries in a policy consume a 576-bit CAM entry when a 144-bit CAM entry is sufficient to store the classifier, over 400 bits of CAM memory are wasted. CAM memory is divided into blocks at the hardware level. Each CAM block can support 8000 144-bit, 4000 288-bit, or 2000 576-bit CAM entries. Based on the IPv6 header CAM entry size calculation, the minimum entry size required for IPv6 classification is 8 bits and the maximum entry size required is 336 bits.

Policy Manager calculates the CAM bit size and configures the CAM entries on the line modules. The size of the CAM entry is determined using the limits defined for each of the IP classifier entry combination. In earlier releases, any policy configuration with CAM entries that exceeded the 128-bit limitation failed to be attached to the interface because it was not allowed by Policy Manager.

Beginning with JunosE Release 10.2.x, the IPv6 classification functionality is modified to classify traffic on more than 128 bits. To improve scalability for IPv6 policies, Policy Manager uses the optimum CAM entry size, depending on the IPv6 policy definition. The policy definition of IPv6 is used to determine which classification fields in the combined IPv6 classifier are present and the CAM entry length is computed dynamically. The following three different kinds of results are possible for an IPv6 policy:

• Sum of all classifier fields is less than or equal to 128 bits
• Sum of all classifier fields is between 128 bits and 272 bits
• Sum of all classifier fields is between 272 bits and 336 bits

CAM hardware classifiers support four types of CAM entries—72-bit, 144-bit, 288-bit, and 576-bits (16-bits are reserved for rule set id). Each of the policies fit into one of these four CAM entry types. The 72-bit CAM entry is not chosen as CAM devices on some line modules do not support this size limit. Therefore, the 144-bit, 288-bit, and 576-bit CAM entries are used as the variable-length CAM entries for IPv6 policies.

The following sections describe examples for each type of variable length IPv6 classification and the number of CAM entries for each case:

144-bit IPv6 Classification Example

In this example, a policy with a combination of IPv6 classifiers is created and attached. The configuration conforms to the 144 bit limit.

1. Match all TCP SYN packets from 1:1:: to any DA with port 2000.
   host1(config)#ipv6 classifier-list tcpCLACL source-address 1:1::/32 tcp destination-port eq 2000 tcp-flags "SYN"
2. Match all IPv6 packets to net 2:2::.
   host1(config)#ipv6 classifier-list ipv6CLACL destination-address 2:2::/32
3. Match all ICMPv6 echo packets.
   host1(config)#ipv6 classifier-list icmpv6CLACL icmpv6 icmp-type 8 icmp-code 0
4. Match all frames with the color red.
   host1(config)#ipv6 classifier-list colorCLACL color red
5. Create an IPv6 policy list.
   host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group icmpv6CLACL host1(config-policy-list-classifier-group)#filter host1(config-policy-list-classifier-group)#classifier-group ipv6CLACL host1(config-policy-list-classifier-group)#filter

   The policy ipv6Pol is requesting classification on Source Address (first word), Destination Address (first word), Destination Port, Protocol, TCP Flags, ICMPv6 Type, ICMPv6 Code, Color, and TC field. Table 1 lists the active classifiers in the policy named ipv6Pol and the size of each classifier.

   Table 1: IPv6 Classification Fields for a 144-bit CAM Entry

   Classifiers	Size (Bits)
   Source address (first word)	32
   Destination address (first word)	32
   Destination port, ICMPv6 type, ICMPv6 code	16
   Protocol	8
   Color and TCP flags	8
   TC field	8

   The sum of all classification fields requested in ipv6Pol is 104. This size causes Policy Manager to use 144-bit CAM entry for every classifier in this policy. One CAM entry is needed for each classifier in the policy and therefore, four 144-bit CAM entries are needed in all.

288-bit IPv6 Classification Example

The following example creates and attaches a policy, which requests classification on a single host address and TCP. The configuration exceeds the 128 bit limit.

1. Match all TCP packets from host 1:1:1:1:1:1:1:1 to any DA
   host1(config)#ipv6 classifier-list sourceCLACL source-address 1:1:1:1:1:1:1:1/128 tcp
2. Create an IPv6 policy list.
   host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group sourceCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter

   The policy ipv6Pol is requesting classification on Source Address (all 4 words) and Protocol. Table 2 lists the active classifiers in the policy named ipv6Pol and the size of each classifier.

   Table 2: IPv6 Classification Fields for a 288-bit CAM Entry

   Classifiers	Size (Bits)
   Source address (first word)	32
   Source address (second word)	32
   Source Address (third word)	32
   Source Address (fourth word)	32
   Protocol	8

   The sum of all classification fields requested in ipv6Pol is 136, which is greater than 128-bit CAM entry size limit. Although this configuration fails to attach to the interface in JunosE releases earlier than Release 10.2.0, it is successfully attached to the interface, beginning with JunosE Release 10.2.x, and the next higher 288-bit CAM entry is allocated for this policy (two 288-bit entries because of two classifiers being defined in the policy).

576-bit IPv6 Classification Example

In this example, a policy with a combination of IPv6 classifiers is created and attached.

1. Match all TCP packets from host 1:1:1:1:1:1:1:1 to host 100::1 destined to port 80 from source port 10000
   host1(config)#ipv6 classifier-list tcpCLACL source-host 1:1:1:1:1:1:1:1 destination-host 100::1 tcp source-port eq 10000 destination-port eq 80
2. Match all frames with the color red
   host1(config)#ipv6 classifier-list colorCLACL color red
3. Create an IPv6 policy list.
   host1(config)#ipv6 policy-list ipv6Pol host1(config-policy-list)#classifier-group tcpCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group colorCLACL host1(config-policy-list-classifier-group)#forward host1(config-policy-list-classifier-group)#classifier-group * host1(config-policy-list-classifier-group)#filter

   The policy ipv6Pol is requesting classification on Source Address (all 4 words), Destination address (all 4 words) and Protocol. Table 3 lists the active classifiers in the policy named ipv6Pol and the size of each classifier.

   Table 3: IPv6 Classification Fields for a 576-bit CAM Entry

   Classifiers	Size (Bits)
   Source address (first word)	32
   Source address (second word)	32
   Source Address (third word)	32
   Source address (fourth word)	32
   Destination Address (first word)	32
   Destination address (second word)	32
   Destination Address (third word)	32
   Destination Address (fourth word)	32
   Protocol	8
   Destination Port	16
   Source Port	16
   Color	8

   The sum of all classification fields requested in ipv6Pol is 304, which is greater than 128-bit CAM entry size limit. Although this configuration fails to attach to the interface in earlier releases, it is successfully attached to the interface, beginning with this release, and the maximum 576-bit CAM entry is allocated for this policy (three 576-bit entries, one for each classifier in the policy).