MACsec Intel® FPGA IP User Guide

ID 736108
Date 6/26/2023

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

5.1. AXI-ST Common/Controlled/Uncontrolled Ports

The MACsec IP user interface supports 6 AXI-ST ports (transmit lane Common/Controlled/Uncontrolled/ ports and receive lane Common/Controlled/Uncontrolled/ ports). The maximum bandwidth supported by the MACsec IP is 200Gbps and therefore the aggregated bandwidth of all ports must not exceed 200Gbps. In the scenario where the desired bandwidth exceeds the port bandwidth, backpressure occurs to avoid buffer overflow.

All port data widths are configurable between 64, 128, 256, and 512 bits. The maximum bandwidth supported is 200Gbps when the width of the interface between the port mux and demux blocks and the MACsec processing blocks is 512 bits.

The AXI-ST ports support both AXI-ST Single Packet Mode and AXI-ST Multi Packet Mode. There are 2 lanes which exist within the MACsec IP, one is the Transmit Tx Lane and the other is the Receive Rx Lane.

The AXI-ST Common/Controlled/Uncontrolled ports support 16 bits of metadata which tag along with incoming packets. These 16 bits of metadata are sent through the AXI-ST TUSER interface which is available when the METADATA_EN parameter is configured to ENABLE. This feature is mainly used in PTP where PTP packets are sent through the MACsec IP together with PTP sideband signals and local counter values to support PTP 1- step and 2-step modes.

The AXI-ST TID is used to indicate the Port/Stream ID and this ID tags along with the packet flowing through the MACsec encryption/decryption lane. You can use the TID to identify the source of the packet and route the packet to its destination accordingly. The packet order per stream is maintained.

Traffic that requires encryption or decryption is sent through the MACsec Controlled port. In the case of traffic that doesn’t need to be encrypted or decrypted, it can be submitted through the Uncontrolled port. Traffic from both ports is merged and sent to the Common port on the transmit lane.

On the transmit lane, the Uncontrolled port traffic is muxed together with Controlled port traffic at the Common port before sending it out from the MACsec IP. The arbitration between the Uncontrolled port and the Controlled port is based on a priorty round-robin scheme where priorty is given to the Controlled port traffic. When no traffic is detected on one of the ports, traffic from another port is granted by default. There is a potential performance impact on the transmit lane as the IP is muxing 200Gbps traffic from Controlled/Uncontrolled ports into a single Common port. It is your responsibility to make sure the total bandwidth of both Controlled/Uncontrolled port doesn’t exceed the maximum bandwidth supported by the MACsec IP, which is 200Gbps. You need to handle the flow control on the MACsec IP Controlled/Uncontrolled ports so that no overflows (packet drops) happen on the Mux/Demux interfaces due to unmatched bandwidth.

On the receive lane, when the Common port traffic is parsed and no MACsec Ethertype is detected, the traffic is routed to the Uncontrolled port. The Uncontrolled port sees all traffic including encrypted packets and non-MACsec packets. You are then required to process the traffic and extract the packets. By default, the Uncontrolled ports on transmit and receive lanes are disabled.