In computer networking, an access control list (ACL) can refer to a strictly ordered list of rules applied to port numbers or IP addresses available on a host or other network. An ACL may be implemented on networking devices, such as routers and switches, to filter traffic and provide network security. For instance, an ACL may include rules that specify certain network hosts or addresses that a switch should permit or deny access.
An ACL rule may be divided into a condition and an action. That is, if a certain condition is satisfied, then the networking device performs the corresponding action. For example, a rule may specify, as a condition, receiving an incoming frame from a certain IP address. The rule specifies, as a corresponding action, to discard the frame. Typically, networking devices configured with ACLs execute an action associated with the first matching rule in the list. Therefore, the ordering of the list is of importance.
An ACL may be implemented in a networking device using ternary content addressable memory (TCAM). TCAM is a type of computer memory that allows for high speed searching in the ACL. In a basic content addressable memory (CAM) table, data is accessed by providing content to be searched, commonly referred to as a search key (as opposed to a memory address, in the case of other types of memory). During a search operation, a CAM performs a strict compare of binary values of the search key (i.e., 0 or 1) with the binary values stored in every row of the CAM to obtain one or more location(s) containing matching data. In contrast, each position within a TCAM is formed with a two bit encode, providing 4 combinations: 0, 1, Always Match (“wildcard” or “don't care”), and Never Match. During a search operation, a TCAM performs a compare of the binary values of the search key with the two bit encodes stored in every row of the TCAM. As a result, using a TCAM provides more flexibility than a CAM.
A networking device may store rule conditions in a TCAM table and rule actions in an addressable array structure, such as a static random-access memory (SRAM) table. When the device matches a condition in the TCAM, the TCAM provides a memory address of the corresponding action in the SRAM.