MACsec Intel® FPGA IP User Guide

ID 736108
Date 3/31/2024
Document Table of Contents

5.1. AXI-ST Common/Controlled/Uncontrolled Ports

The MACsec IP user interface supports 6 AXI-ST ports (transmit lane Common/Controlled/Uncontrolled/ ports and receive lane Common/Controlled/Uncontrolled/ ports). The maximum bandwidth supported by the MACsec IP is 200Gbps and therefore the aggregated bandwidth of all ports must not exceed 200Gbps. In the scenario where the desired bandwidth exceeds the port bandwidth, backpressure occurs to avoid buffer overflow.

All port data widths are configurable between 64, 128, 256, and 512 bits. The maximum bandwidth supported is 200Gbps when the width of the interface between the port mux and demux blocks and the MACsec processing blocks is 512 bits.

The AXI-ST ports support both AXI-ST Single Packet Mode and AXI-ST Multi Packet Mode. There are 2 lanes which exist within the MACsec IP, one is the Transmit Tx Lane and the other is the Receive Rx Lane.

The AXI-ST Common/Controlled/Uncontrolled ports support 16 bits of metadata which tag along with incoming packets. These 16 bits of metadata are sent through the AXI-ST TUSER interface which is available when the METADATA_EN parameter is configured to ENABLE. This feature is mainly used in PTP where PTP packets are sent through the MACsec IP together with PTP sideband signals and local counter values to support PTP 1- step and 2-step modes.

The AXI-ST TID is used to indicate the Port/Stream ID and this ID tags along with the packet flowing through the MACsec encryption/decryption lane. You can use the TID to identify the source of the packet and route the packet to its destination accordingly. The packet order per stream is maintained.

Traffic that requires encryption or decryption is sent through the MACsec Controlled port. In the case of traffic that doesn’t need to be encrypted or decrypted, it can be submitted through the Uncontrolled port. Traffic from both ports is merged and sent to the Common port on the transmit lane.

On the transmit lane, the Uncontrolled port traffic is muxed together with Controlled port traffic at the Common port before sending it out from the MACsec IP. The switching between CP/UCP has no priority bit. The switching happens from CP to UCP when the transmission of packets from all CP ports are finished, and when there is no incoming CP packet for more then 6 clock cycles. The switching from UCP to CP takes place when UCP reaches tlast=1. There is a potential performance impact on the transmit lane as the IP is muxing 200Gbps traffic from Controlled/Uncontrolled ports into a single Common port. It is your responsibility to make sure the total bandwidth of both Controlled/Uncontrolled port doesn’t exceed the maximum bandwidth supported by the MACsec IP, which is 200Gbps. You need to handle the flow control on the MACsec IP Controlled/Uncontrolled ports so that no overflows (packet drops) happen on the Mux/Demux interfaces due to unmatched bandwidth.

On the receive lane, when the Common port traffic is parsed and no MACsec Ethertype is detected, the traffic is routed to the Uncontrolled port. The Uncontrolled port sees all traffic including encrypted packets and non-MACsec packets. You are then required to process the traffic and extract the packets. By default, the Uncontrolled ports on transmit and receive lanes are disabled.