CAM is implemented in the Quartus II software through the altcam megafunction. In order to describe how CAM works in the Silicon Firewall clearly, CAM is introduced in detail in this section.
5.3.4.1 Symbol
altcam pattern[] wrx[] wrxused[] wrdelete[] wraddress[] wren[] maddress[] inclock mbits[] inclocken mfound inaclr mcount[] mstart rdbusy mnext wrbusy outclock outclocken outaclr
Figure 5.4 Symbol for The Altcam Megfunction (after [20]) 5.3.4.2 Input Pins
Table 5.9 describes the input pins of the altcam megafunction.
Table 5.9 Input Pins of The Altcam Megafunction (after [20]) Port Name Require Description Notes pattern [] Yes Input data pattern for
searching or writing.
Input port WIDTH wide. wrx [] No Pattern “don’t care”
bits (indicated with 1s), for writing only.
Input port WIDTH wide.
wrxused No Indicates whether
wrx[] should be used.
If false, writing takes two clock cycles to complete; if true, writing takes three clock cycles. If asserted during a write cycle, the value of the wrx [] port is used. Otherwise, the value of the wrx[] port has no effect.
wrdelete No Indicates that the pattern at wraddress []
Deleting a pattern takes two clock cycles; pattern [], wrx[], and
should be deleted. wrxused are ignored during delete cycles.
wraddress[] No Address for writing. Input port WIDTHAD wide. wren No Write enable. Assert wren to start to a write or
delete operation. De-assert wren for a read (match) operation. inclock Yes Clock for most inputs.
inclocken No Clock enable for inclock.
inaclr No Asynchronous clear
for registers that use inclock.
mstart No Multi-match mode
only: indicates that a new CAM read is starting and forces maddress [] to first match.
This port is not available for single-match mode but reauired for multiple-match modes. In fast multiple-match mode, this port is required if the mnext port is used.
mnext No Multi-match mode
only: advances maddress [] to next match.
This port is not available for single-match mode.
outclock No Clock for mstart, mnext, and outputs.
Used only if
“OUTPUT_REG=OUTCLOCK”. If
“OUTPUT_REG=UNREGISTER ED” or “INCLOCK” this port must remain unconnected. outclocken No Clock enable for
outclock.
Used only if
“OUTPUT_REG=OUTCLOCK”. If
“OUTPUT_REG=UNREGISTER ED” or “INCLOCK” this port must remain unconnected.
outaclr No Asynchronous clear
for registers that use outclock.
5.3.4.3 Output Pins
Table 5.10 Output Pins of The Altcam Megafunction (after [20]) Port Required Description Comments maddress[] No Encoded address of
current match.
Output port WIDTHAD wide. One of the output ports must be used. Altera recommends using ether a combination of the maddress[] and mfound output ports, or the mbits [] output port.
mbits[] No Address of the found match.
Output port with width [NUMWORDS-1..0]. One of the output ports must be present. Altera recommends using either a combination of the maddress [] and mfound output ports, or the mbits [] output port.
mfound No Indicates at least one match.
Used with the maddress[] port. One of the output ports must be present. Altera recommends using either a combination of the maddress [] and mfound output ports, or the mbits [] output port.
mcount[] No Total number of
matches.
Output port WIDTHAD wide. One of the output ports must be present. Altera recommends using either a output ports, or the mbits [] output port.
rdbusy No Indicates that read
input ports must hold their current value.
One of the output ports must be present.
wrbusy No Indicates that write
input ports must hold their current value.
One of the output ports must be present.
As mentioned previously, to accomplish packet filtering, a set of rules has to set up to specify what types of packets (e.g., those to or from a particular IP address or port) are to be allowed and what types are to be blocked. Since CAM is used to do the packet filtering in this project, we need to write the reference source address patterns into and then read the match results from CAM.
5.3.4.4 Writing Patterns into CAM
CAM can be pre-loaded with data either during configuration, or during systemoperation. In most cases, writing each word into CAM takes two clock cycles [20]. The “don’t care” bits can be written into CAM words and bits set to “don’t care” do not affect matching. A third clock cycle is required if “don’t care” bits are used [20]. 5.3.4.5 Reading from CAM
Altera CAM operates in one of three different modes: single-match mode, multiple- match mode, and fast multiple-match mode. In each mode, the matched data’s location is outputted by an ESB as an encoded or unencoded address. In an encoded output, the address of the matched data is indicated. In an unencoded output, each output represents one word of the CAM block. The corresponding address is a match if an output goes high (e.g., if the data is located in address 14, the fourteenth output line goes high).
Single match mode is more suited for designs without duplicate data in the memory. If multiple locations in the memory contain the same data, CAM should be used in multiple-match or fast multiple-match mode. In these two modes, CAM supports multiple-match data and the ESB outputs the locations of the matched data as an encoded or unencoded addresses. Also, the CAM only takes one clock cycle to acquire outputs in single match mode, while in multiple-match mode two clock cycles are needed and fast multiple match while taking one clock cycle need twice as much ESB memory. Since there are no duplicate patterns in the Silicon Firewall, and speed and size are important, the single match mode is used in this project.