- Computers & electronics
- Computer components
- System components
- Networking cards
- Mellanox
- Innova IPsec 4 Lx
- User manual
- 63 Pages
Mellanox Innova IPsec 4 Lx Ethernet Adapter Card User Manual
The Innova IPsec 4 Lx provides security acceleration for IPsec-enabled networks while taking advantage of the ConnectX-4 Lx Ethernet (EN) integrated circuit device’s best-in-class performance, unmatched scalability, and efficiency.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
Mellanox Innova™ IPsec 4 Lx
Ethernet Adapter Card User Manual
Rev 1.4
www.mellanox.com
Mellanox Technologies
NOTE:
THIS HARDWARE, SOFTWARE OR TEST SUITE PRODUCT (“PRODUCT (S)”) AND ITS RELATED
DOCUMENTATION ARE PROVIDED BY MELLANOX TECHNOLOGIES “AS-IS” WITH ALL FAULTS OF ANY
KIND AND SOLELY FOR THE PURPOSE OF AIDING THE CUSTOMER IN TESTING APPLICATIONS THAT
USE THE PRODUCTS IN DESIGNATED SOLUTIONS. THE CUSTOMER'S MANUFACTURING TEST
ENVIRONMENT HAS NOT MET THE STANDARDS SET BY MELLANOX TECHNOLOGIES TO FULLY
QUALIFY THE PRODUCT(S) AND/OR THE SYSTEM USING IT. THEREFORE, MELLANOX TECHNOLOGIES
CANNOT AND DOES NOT GUARANTEE OR WARRANT THAT THE PRODUCTS WILL OPERATE WITH THE
HIGHEST QUALITY. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT ARE DISCLAIMED. IN NO EVENT SHALL MELLANOX BE LIABLE TO CUSTOMER OR
ANY THIRD PARTIES FOR ANY DIRECT, INDIRECT, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES OF ANY KIND (INCLUDING, BUT NOT LIMITED TO, PAYMENT FOR PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT , STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY FROM THE USE OF THE
PRODUCT(S) AND RELATED DOCUMENTATION EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Mellanox Technologies
350 Oakmead Parkway Suite 100
Sunnyvale, CA 94085
U.S.A.
www.mellanox.com
Tel: (408) 970-3400
Fax: (408) 970-3403
© Copyright 2017. Mellanox Technologies Ltd . All Rights Reserved .
Mellanox®, Mellanox logo, Accelio®, BridgeX®, CloudX logo, CompustorX®, Connect -IB®, ConnectX®,
CoolBox® , CORE-Direct® , EZchip®, EZchip logo, EZappliance®, EZdesign®, EZdriver®, EZsystem®,
GPUDirect®, InfiniHost®, InfiniBridge®, InfiniScale®, Kotura®, Kotura logo, Mellanox CloudRack® , Mellanox
CloudXMellanox® , Mellanox Federal Systems® , Mellanox HostDirect® , Mellanox Multi-Host® , Mellanox Open
Ethernet®, Mellanox OpenCloud® , Mellanox OpenCloud Logo® , Mellanox PeerDirect® , Mellanox ScalableHPC® ,
Mellanox StorageX® , Mellanox TuneX® , Mellanox Connect Accelerate Outperform logo , Mellanox Virtual Modular
Switch®, MetroDX®, MetroX®, MLNX-OS®, NP-1c®, NP-2®, NP-3®, Open Ethernet logo , PhyX®, PlatformX®,
PSIPHY®, SiPhy®, StoreX®, SwitchX®, Tilera®, Tilera logo, TestX®, TuneX®, The Generation of Open Ethernet logo, UFM®, Unbreakable Link® , Virtual Protocol Interconnect®, Voltaire® and Voltaire logo are registered trademarks of Mellanox Technologies , Ltd.
All other trademarks are property of their respective owners .
For the most updated list of Mellanox trademarks, visit http://www.mellanox.com/page/trademarks
Doc #: MLNX-15-50911 Mellanox Technologies 2
Table of Contents
Chapter 4 Innova IPsec Offload Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1 Offloaded IPsec Protocols and Internet Protocols . . . . . . . . . . . . . . . . . . . 24
Rev 1.4
Mellanox Technologies 3
4
Chapter 5 IPsec Offload Software Installation and Operation. . . . . . . . . . . . 27
5.1 Installation of Kernel with IPsec Offload Module . . . . . . . . . . . . . . . . . . . 27
5.3.2 Setting up an Offloaded IPsec Connection . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.3.1.1 Burning the FPGA’s Flash Device Using the mlx_fpga Burning Tool . . . . 34
Chapter 7 Updating Innova IPsec Adapter Card Firmware. . . . . . . . . . . . . . . 36
9.1 MNV101511A-BCIT Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.3 Board Mechanical Drawing and Dimensions . . . . . . . . . . . . . . . . . . . . . . . 44
Appendix A Fast Installation and Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Mellanox Technologies Rev 1.4
A.2 Content of Innova IPsec Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
A.3 Software, Firmware and Tools Installation . . . . . . . . . . . . . . . . . . . . . . 47
A.4 Software, Firmware and Tools Update . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix B Interface Connectors Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
B.1 QSFP Connector Pinout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
B.2 PCI Express x8 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
B.3 I2C-compatible Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Appendix C Finding the MAC and Serial Number on the Adapter Card . . . . 55
Appendix E Avertissements de sécurité d’installation (Warnings in French) 58
Appendix F Sicherheitshinweise (Warnings in German) . . . . . . . . . . . . . . . . 60
Appendix G Advertencias de seguridad para la instalación (Warnings in Spanish) 62
Rev 1.4
Mellanox Technologies 5
6 Mellanox Technologies Rev 1.4
List of Tables
Table 9:
Rev 1.4
Mellanox Technologies 7
8 Mellanox Technologies Rev 1.4
List of Figures
Figure 4: Mechanical Drawing of the MNV101511A-BCIT Innova IPsec Adapter Card . . . . . . . . . . 44
Figure 7: Connector and Cage Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 8: PCIe x8 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 9: Compatible Connector Plug and Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Rev 1.4
Mellanox Technologies 9
10
Revision History
This document was printed on June 20, 2017.
Table 1 - Revision History Table
Date
June 2017
Rev
1.4
January 2017 1.3
Comments/Changes
• Removed MCX4732A-BCIT from document
• Changed mlx_ipsec to mlx5_core
• Updated “memory” in Section 1.2, “Features and Benefits,” on page 14
• Updated
Section 4.2, “IPsec Offload Kernel and
• Updated
Section 4.3, “IPsec Offload for DPDK Applications,” on page 26
• Updated
Section 5.1, “Installation of Kernel with IPsec
• Updated
Section 5.3.1, “Loading/Unloading the Module,” on page 29
• Updated
Section 5.3.3, “Destroying IPsec Tunnels,” on page 31
• Updated
Section 6.2, “mlx_fpga Synopsis,” on page 33
• Updated
Table 6, “MNV101511A-BCIT Specifications
• Added Appendix A.3, “Software, Firmware and Tools
• Updated
Appendix A.4, “Software, Firmware and Tools
• Updated Section 5.1.1, “Obtaining the Kernel Modules,” on page 27
• Updated
Section 5.3.2, “Setting up an Offloaded IPsec
• Updated
Section 5.3.3, “Destroying IPsec Tunnels,” on page 31
• Updated
Section 6.1, “Tool Requirements,” on page 33
• Updated
Section 6.2, “mlx_fpga Synopsis,” on page 33
• Added Section 6.3.1.1, “Burning the FPGA’s Flash
Device Using the mlx_fpga Burning Tool,” on page 34
• Updated
Section 6.3.1.2, “Loading Tool,” on page 34
• Updated
Chapter 7,“Updating Innova IPsec Adapter
• Added Figure 6, “Single-Port Short Bracket,” on page 46
• Added Appendix A, “Fast Installation and Update,” on page 47
Mellanox Technologies Rev: 1.4
Rev: 1.4
Table 1 - Revision History Table
Date
September 2016
Rev
1.2
July 2016
April 2016
1.1
1.0
Comments/Changes
• Added MNV101511A-BCIT across document:
- Section 1.1, “Product Overview,” on page 13
- Section 9.1, “MNV101511A-BCIT Specifications,” on page 40
- Figure 3, “MNV101511A-BCIT LEDs Placement (Example),” on page 41
- Figure 4, “Mechanical Drawing of the MNV101511A-BCIT
Innova IPsec Adapter Card,” on page 44
• Added Chapter 5,“IPsec Offload Software Installation and Operation” on page 27
• Updated
Section 5.1.2, “Installing the Kernel and
• Updated
Section 5.3.1, “Loading/Unloading the Module,” on page 29
• Updated
Section 5.3.2, “Setting up an Offloaded IPsec
• Added Section 5.3.3, “Destroying IPsec Tunnels,” on page 31
• Removed Innova IPsec 4 Lx EN Card Drivers
• Updated
Chapter 6,“mlx_fpga Tool” on page 33
• Updated
Section 8.1, “General,” on page 38
• Updated
Section 9.1, “MNV101511A-BCIT Specifications,” on page 40
• Updated
Appendix C, “Finding the MAC and Serial
Number on the Adapter Card,” on page 55
• Changed mlx_accel_ipsec to mlx_ipsec.
• Added Section 4.2.2, “mlx5_fpga_tools Module,” on page 25
• Updated
Section 5.1.1, “Obtaining the Kernel Modules,” on page 27
• Updated
Section 5.1.2, “Installing the Kernel and
• Updated
Section 5.1.3, “Installing the Customized iproute2 Utility,” on page 28
• Added Section 5.3.4, “IPsec Offload Statistics,” on page 31
• Added “Update FPGA Image” on page 35
• Updated
Chapter 5.1,“Installation of Kernel with IPsec
First Release
Mellanox Technologies 11
1 Introduction
This is the User Guide for Mellanox Technologies Innova IPsec adapter card based on the ConnectX ®-4 Lx Ethernet (EN) integrated circuit device with an on-board FPGA device.
The Mellanox Innova IPsec 4 Lx EN adapter card provides security acceleration for IPsecenabled networks while taking advantage of the ConnectX-4 Lx EN Network Controller’s bestin-class performance, unmatched scalability, and efficiency.
The constantly growing demand for security and privacy in modern data centers, private and public clouds, Web 2.0 infrastructure, and telecommunication systems, requires the use of security protocols. IPsec is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. However, the high computing power required by the IPsec algorithms consumes expensive CPU cycles and limits network connection performance.
The Mellanox Innova IPsec 4 Lx EN adapter offloads the processing of the IPsec algorithms, frees up the CPU, and eases network bottlenecks.
The adapter integrates advanced network capabilities and encryption offloading in one card, utilizing only a single PCIe slot for both networking and crypto functions.
The Mellanox Innova IPsec 4 Lx EN adapter also brings Innova IPsec 4 Lx’s industry leading technologies: hardware support for RDMA over Converged Ethernet, Ethernet stateless offload engines, overlay networks, GPUDirect® technologies, and more.
This chapter covers the following topics:
• Section 1.1, “Product Overview,” on page 13
• Section 1.2, “Features and Benefits,” on page 14
• Section 1.3, “Block Diagram,” on page 16
•
Section 1.4, “Operating Systems/Distributions,” on page 16
• Section 1.5, “Connectivity,” on page 17
• Section 1.6, “Related Documents,” on page 17
12 Mellanox Technologies Rev: 1.4
Introduction
1.1
Product Overview
The following section provides the ordering part number, port speed, number of ports, and PCI
Express speed.
Table 2 - Single-port Innova IPsec Adapter Cards
Ordering Part Number (OPN)
MNV101511A-BCIT - HHHL card with Xilinx Kintex®
UltraScale™ XCKU060
Ethernet: 10/40Gb/s
Data Transmission Rate
Single-port QSFP
Network Connector Types
PCI Express (PCIe) SerDes Speed
RoHS
Adapter IC Part Number
Device ID (decimal)
PCIe 3.0 x8 8GT/s
R6
MT27711A0-FDCF-BE
610
Rev: 1.4
Mellanox Technologies 13
1.2
Features and Benefits
Table 3 - Features a
PCI Express (PCIe)
Uses PCIe Gen 3.0 (1.1 and 2.0 compatible) through an x8 edge connector up to
8GT/s
10/40 Gigabit Ethernet
Memory
IPsec Offload
Overlay Networks
Mellanox adapters comply with the following IEEE 802.3* standards:
– IEEE Std 802.3ba 40 Gigabit Ethernet
– IEEE Std 802.3ae 10 Gigabit Ethernet
– IEEE Std 802.3ad, Link Aggregation
– IEEE Std 802.1Q, 1P VLAN tags and priority
– IEEE Std 802.1Qau Congestion Notification
– IEEE Std 802.1Qbg
_ IEEE P802.1Qaz D0.2 ETS
_ IEEE P802.1Qbb D1.0 Priority-based Flow Control
PCI Express - stores and accesses Ethernet fabric connection information and packet data
SPI - includes two SPI Flash devices:
• one 16MB SPI Flash device (W25Q128FVSIG by WINBOND-NUVOTON) for ConnectX-4 Lx device
• one 512Mb SPI flash (MT25QL512ABB8E12 by MICRON TECHNOL-
OGY) for the FPGA device
EEPROM - accessible through the I2C-compatible interface. The EEPROM capacity is 128Kb.
2GByte DDR4 - PC-1600MT/sec Soldered on board
The Innova IPsec adapter provides offloading of compute intensive encryption/ decryption and authentication algorithms, which are used by the IPsec protocol.
Support for Linux and Windows IPsec software interfaces ensures native integration with existing IPsec applications, with no required changes to the user’s software. IPsec offloading is handled by the combination of the ConnectX-4 Lx network controller and an on-board FPGA, providing high performance and flexibility for future enhancements and customizations. The FPGA is connected to the
ConnectX-4 Lx through a ‘bump-in-the-wire’ topology, hence encryption and decryption are performed inline with the network flow. This results in lower latency and additional savings of CPU resources compared to other IPsec protocol solutions, be it through software or alternative accelerators.
In order to better scale their networks, data center operators often create overlay networks that carry traffic from individual virtual machines over logical tunnels in encapsulated formats such as NVGRE and VXLAN. While this solves network scalability issues, it hides the TCP packet from the hardware offloading engines, placing higher loads on the host CPU. Innova IPsec adapter effectively addresses this by providing advanced NVGRE, VXLAN and GENEVE hardware offloading engines that encapsulate and de-capsulate the overlay protocol headers, enabling the traditional offloads to be performed on the encapsulated traffic for these and other tunneling protocols (GENEVE, MPLS, QinQ, and so on). With Innova
IPsec adapter, data center operators can achieve native performance in the new network architecture.
14 Mellanox Technologies Rev: 1.4
Introduction
Table 3 - Features a
RDMA and RDMA over
Converged Ethernet (RoCE)
Mellanox PeerDirect™
CPU offload
Quality of Service (QoS)
Hardware-based I/O
Virtualization
Storage Acceleration
Distributed RAID
Innova IPsec adapter supports RoCE specifications delivering low-latency and high- performance over Ethernet networks. Leveraging data center bridging
(DCB) capabilities as well as Innova IPsec adapter advanced congestion control hardware mechanisms, RoCE provides efficient low-latency RDMA services over
Layer 2 and Layer 3 networks.
PeerDirect™ communication provides high efficiency RDMA access by eliminating unnecessary internal data copies between components on the PCIe bus (for example, from GPU to CPU), and therefore significantly reduces application run time. Innova IPsec adapter advanced acceleration technology enables higher cluster efficiency and scalability to tens of thousands of nodes.
Adapter functionality enabling reduced CPU overhead allowing more available
CPU for computation tasks.
Support for port-based Quality of Service enabling various application requirements for latency and SLA
Innova IPsec adapter SR-IOV technology provides dedicated adapter resources and guaranteed isolation and protection for virtual machines (VMs) within the server. I/O virtualization with Innova IPsec adapter gives data center administrators better server utilization while reducing cost, power, and cable complexity, allowing more Virtual Machines and more tenants on the same hardware.
A consolidated compute and storage network achieves significant cost-performance advantages over multi-fabric networks. Standard block and file access protocols can leverage RDMA for high-performance storage access.
Innova IPsec adapter delivers advanced Erasure Coding offloading capability, enabling distributed Redundant Array of Inexpensive Disks (RAID), a data storage technology that combines multiple disk drive components into a logical unit for the purposes of data redundancy and performance improvement. Innova IPsec adapter’s Reed-Solomon capability introduces redundant block calculations, which, together with RDMA, achieves high performance and reliable storage access.
a. This section describes hardware features and capabilities. Please refer to the driver release notes for feature availability. See
Section 1.6, “Related Documents,” on page 17
.
Rev: 1.4
Mellanox Technologies 15
1.3
Block Diagram
Figure 1: Innova IPsec 4 Lx EN Adapter Card Block Diagram
x 8 P C I e G e n 3
D R A M
2 G B
D D R 4-
1 6 0 0[ M T / S e c]
C o n fig . F L A S H
JT A G -IF
F P G A
1.4
Operating Systems/Distributions
1
• RHEL/CentOS
• Ubuntu
• Fedora
• OpenFabrics Enterprise Distribution (OFED)
1. Windows will be supported in a future revision.
16 Mellanox Technologies x 8 P C Ie G e n 3
J T A G /
G P I O
C o n n e ct X
I 2 C
Rev: 1.4
Introduction
1.5
Connectivity
• Interoperable with 10Gb and 40Gb Ethernet switches
• Passive copper cable with ESD protection
• Powered connectors for optical and active cable support
1.6
Related Documents
Table 4 - Documents List
Document’s Name
Mellanox Firmware Tools (MFT) User
Manual
Document no. 2204UG
Mellanox OFED for Linux
User Manual
Document no. 2877
Performance Tuning Guidelines for Mellanox Network Adapters
Document no. 3368
Mellanox EN for Linux Driver Release
Notes
IEEE Std 802.3 Specification
PCI Express 3.0 Specifications
IETF IPsec specifications
Location
User Manual describing the set of MFT firmware management tools for a single node.
See http://www.mellanox.com/page/management_tools
User Manual describing OFED features, performance, tools content and configuration. See http://www.mellanox.com => Products
=> Software => InfiniBand/VPI Drivers => Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED)
User Manual describes important tuning parameters and settings that can improve performance for Mellanox drivers.
See http://www.mellanox.com/related-docs/prod_software/Performance_Tuning_Guide_for_Mellanox_Network_Adapters.pdf
Release notes for Mellanox Technologies' MLNX_EN for Linux driver kit for Mellanox adapter cards: http://www.mellanox.com => Products => Software => Infini-
Band/VPI Drivers => Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED) => Release Notes
This is the IEEE Ethernet specification http://standards.ieee.org/getieee802
Industry Standard PCI Express 3.0 Base and Card Electromechanical Specifications.
https://pcisig.com/specifications https://tools.ietf.org/html/rfc4301
Rev: 1.4
Mellanox Technologies 17
2 Interfaces
Each adapter card includes the following interfaces:
The adapter cards include special circuits to protect from ESD shocks to the card/server when plugging copper cables.
2.1
Ethernet QSFP Interface
The network port of the Innova IPsec adapter is compliant with the IEEE 802.3 Ethernet stan-
dards listed in Table 3, “Features,” on page 14 . For connecting to an SFP+ interface, you can use
a Mellanox QSA (QSFP to SFP+) adapter module.
2.2
PCI Express Interface
The Innova IPsec adapter card supports PCI Express 3.0 (1.1 and 2.0 compatible) through an x8 edge connector. The device can be either a master initiating the PCI Express bus operations or a slave responding to PCI bus operations. The following lists PCIe interface features of the Innova
IPsec adapter card:
• PCIe Gen 3.0 compliant, 1.1 and 2.0 compatible
• 2.5, 5.0, or 8.0GT/s link rate x8
• Auto-negotiates to x8, x4, x2, or x1
• Support for MSI/MSI-X mechanisms
2.3
LED Interface
For Innova IPsec adapter card LED specifications, please refer to
18 Mellanox Technologies Rev: 1.4
Hardware Installation
3 Hardware Installation
3.1
System Requirements
3.1.1 Hardware
A system with a PCI Express x8 slot is required for installing the card.
3.1.2 Operating Systems/Distributions
Please refer to
Section 1.4, “Operating Systems/Distributions,” on page 16
.
3.2
Safety Precautions
The adapter is being installed in a system that operates with voltages that can be lethal.
Before opening the case of the system, observe the following precautions to avoid injury and prevent damage to system components.
1. Remove any metallic objects from your hands and wrists.
2. Make sure to use only insulated tools.
3. Verify that the system is powered off and is unplugged.
4. It is strongly recommended to use an ESD strap or other antistatic devices.
3.3
Pre-installation Checklist
1. Verify that your system meets the hardware and software requirements stated above.
2. Shut down your system if active.
3. After shutting down the system, turn off power and unplug the cord.
4. Remove the card from its package. Please note that the card must be placed on an antistatic surface.
5. Check the card for visible signs of damage. Do not attempt to install the card if damaged.
3.4
Bracket Installation Instructions
The card is usually shipped with a tall bracket installed. If this form factor is suitable for your
.
If you need to replace it with the short bracket that is included in the shipping box, please follow the instructions in this section.
Rev: 1.4
Mellanox Technologies 19
Due to risk of damaging the EMI gasket, it is not recommended to replace the bracket more than three times.
To replace the bracket you will need the following parts:
• The new bracket of the proper height
• The 2 screws saved from the removal of the bracket
• The 2 fiber washers saved from the removal of the bracket
3.4.1 Removing the Existing Bracket
1. Remove the two screws holding the bracket in place. The bracket comes loose from the card.
Be careful not to put stress on the LED.
2. Save the two screws and the two fiber washers.
3.4.2 Installing the New Bracket
1. Place the bracket onto the card until the screw holes line up.
Do not force the bracket onto the card. You may have to gently push the LEDs using a small screwdriver to align the LEDs with the holes in the bracket.
2. Screw on the bracket using the screws and washers saved from the bracket removal procedure above.
3. Make sure that the LEDs are aligned onto the bracket holes.
4. Use a torque driver to apply up to 2.9 lbs-in torque on the screws.
3.5
Card Installation Instructions
1. Open the system case.
2. Place the adapter in a standard PCI Express slot
3. Applying even pressure at both corners of the card, insert the adapter card into the slot until it is firmly seated. When the adapter is properly seated, the adapter port connectors are aligned with the slot opening, and the adapter faceplate is visible against the system chassis.
20 Mellanox Technologies Rev: 1.4
Hardware Installation
Do not use excessive force when seating the card, as this may damage the system or the adapter.
3.6
Cables and Modules
To obtain the list of supported cables for your adapter, please refer to http://www.mellanox.com/ products/interconnect/cables-configurator.php
.
3.6.1 Cable Installation
1. All cables can be inserted or removed with the unit powered on.
2. To insert a cable, press the connector into the port receptacle until the connector is firmly seated. a. Support the weight of the cable before connecting the cable to the adapter card. Do this by using a cable holder or tying the cable to the rack.
b. Determine the correct orientation of the connector to the card before inserting the connector. Do not try and insert the connector upside down. This may damage the adapter card.
c. Insert the connector into the adapter card. Be careful to insert the connector straight into the cage. Do not apply any torque, up or down, to the connector cage in the adapter card.
d. Make sure that the connector locks in place.
When installing cables make sure that the latches engage.
Always install and remove cables by pushing or pulling the cable and connector in a straight line with the card.
3. After inserting a cable into a port, the Amber LED indicator will light when the physical connection is established (that is, when the unit is powered on and a cable is plugged into the port with the other end of the connector plugged into a functioning port). See
IPsec 4 Lx EN LEDs,” on page 41
.
4. After plugging in a cable, lock the connector using the latching mechanism particular to the cable vendor. When a logical connection is made, the Green LED will light. When data is being transferred the Green LED will blink. See
Section 9.2, “Innova IPsec 4 Lx EN LEDs,” on page 41 .
Rev: 1.4
Mellanox Technologies 21
5. Care should be taken as not to impede the air exhaust flow through the ventilation holes. Use cable lengths which allow for routing horizontally around to the side of the chassis before bending upward or downward in the rack.
6. To remove a cable, disengage the locks and slowly pull the connector away from the port receptacle. LED indicator will turn off when the cable is unseated.
3.7
Identify the Card in Your System
Get the device location on the PCI bus by running lspci and locating lines with the string “Mellanox Technologies”:
> lspci |grep -i Mellanox
Network controller: Mellanox Technologies MT27710 Family [ConnectX-4 Lx]
22 Mellanox Technologies Rev: 1.4
Innova IPsec Offload Overview
4 Innova IPsec Offload Overview
The Innova IPsec 4 Lx EN adapter is pre-programmed with a Mellanox IPsec offload FPGA logic, offering encryption, decryption and authentication for IPsec security protocol suite.
The IPsec offload solution offers three major benefits:
1. Offloads compute intensive crypto algorithms from the host CPU, thus freeing up the CPU and easing network bottlenecks.
2. Since the crypto process occurs on the FPGA, which acts as a 'bump-in-the-wire', the traffic reaches the ConnectX-4 Lx plain so that the various ConnectX-4 Lx networking and stateless offloads can be applied to that traffic.
3. The existing IPsec implementation in Linux kernel requires the network stack to process the packet before and after the crypto processing of the packet. As 'bump-in-the-wire', Innova
IPsec prevents traffic from undergoing the kernel network stacks process more than once.
With these benefits, IPsec offload allows the adapter to reach full wire speed with IPsec secured traffic on the wire while reducing CPU utilization.
IPsec offload is supported in two modes - kernel mode ( Section 4.2, “IPsec Offload Kernel and
) and DPDK ( Section 4.3, “IPsec Offload for DPDK Applications,” on page 26
).
4.1
Security Engines and IPsec Protocols
For list of supported crypto algorithms please refer to Mellanox Innova IPsec 4 Lx EN Release
Notes. Additional crypto algorithms can be added based on business needs.
The crypto algorithms in the Innova IPsec adapter is a symmetric encryption and authentication using either the AES-GCM mechanism (described in GCM-Spec ), the encryption of AES-CBC
(described in CBC-Spec ) and/or the authentication by:
• HMAC-SHA-1
• HMAC-SHA2 (224, 256, 384, 512)
Please refer to HMAC-Spec and SHA-Spec for further details.
The crypto engines are designed to deliver full wire speed operation in a wire rate of 40G. This crypto is integrated with IPsec-ESP protocol mechanism which is elaborated in rfc4106 , or with
IPsec-AH, as described in rfc4302 .
Rev: 1.4
Mellanox Technologies 23
4.1.1 Offloaded IPsec Protocols and Internet Protocols
This section lists IPsec protocols and Internet Protocols that can be offloaded to the Innova IPsec adapter.
For list of supported protocols, please refer to Mellanox Innova IPsec 4 Lx EN Release Notes.
4.1.1.1 IPsec Protocols
• ESP modes - Tunnel mode, Transport mode
• AH modes - Tunnel mode, Transport mode
4.1.1.2 Internet Protocols
• IPv4
• IPv6
4.2
IPsec Offload Kernel and Driver
In order to install the kernel and driver, please refer to
Chapter 5,“IPsec Offload Software Installation and Operation” on page 27 .
The Innova IPsec offload solution is designed in a way that is integrated into the latest IPsec framework in the Linux kernel, IP-XFRM framework, using the IP-XFRM offload API provided by the kernel.
The IP-XFRM framework is exposed to the user through various software implementations for
IPsec connection creation and management (such as iproute2, libreswan, strongswan and others).
Upon setting up an IPsec connection, the user can choose whether to enable the Innova IPsec offload on the specific IPsec security association (SA) that is created once the connection is gener-
ated. See Section 5.3.2, “Setting up an Offloaded IPsec Connection,” on page 29 . Security
associations that are not set to be offloaded will still undergo encryption/decryption operations by the Linux kernel.
4.2.1 Innova IPsec Ethernet Driver Module
The Innova IPsec adapter has a dedicated driver in the form of a kernel module, mlx5_core.ko.
The driver performs the following:
• Configures the offload settings and modes in HW.
• Manages the offloaded security associations database in HW and ensures its validity.
• Ensures and maintains the flow of packets from kernel network stack to the Innova IPsec adapter for offloading of encryption and from the Innova IPsec adapter to kernel network stack after decryption offloading.
24 Mellanox Technologies Rev: 1.4
illustrates the IPsec solution layers and components.
Figure 2: IPsec Solution Layers and Components
Innova IPsec Offload Overview
4.2.2 mlx5_fpga_tools Module
mlx5_fpga_tools module is included in the new kernel installation.
The module allows opening and configuring character device to be used by the dedicated mlx_fpga tool for various purposes. Please refer to
Chapter 6,“mlx_fpga Tool” on page 33.
The module is not loaded by default and not required for IPsec offload.
To load it run: modprobe mlx5_fpga_tools
The module depends on mlx5_core module.
4.2.3 Key Generation and Exchange
The Innova IPsec adapter currently only supports offloading of the encryption, decryption and authentication of IPsec traffic. The key generation and exchange protocol, whether done manually or through IKE protocol, remains within complete ownership of the userspace software that is used for IPsec connection creation and management (such as iproute2, libreswan, strongswan and others) and is not affected by the HW or the supplied IPsec kernel module.
The Mellanox IPsec kernel module will only be invoked by the kernel offload API once the key and SPI values are determined (whether manually or by IKE) and crypto offload is enabled. The
Rev: 1.4
Mellanox Technologies 25
module will update the security association database on the FPGA/DDR so that crypto offload can occur while traffic is running.
4.3
IPsec Offload for DPDK Applications
mlx5_core module offers offload support for raw Ethernet and kernel bypass drivers by exposing a user interface to control the offloaded security associations in the FPGA.
Mellanox provides a DPDK Poll Mode Driver (PMD) which makes use of this interface. PMD provides a new API for DPDK applications to open/close offloaded security associations (control path) while transmitting/receiving traffic through them (data path). The data path is still done with kernel network stack bypass, providing the application the benefits of the both DPDK acceleration and security offload (encryption/decryption).
Please refer to Mellanox Innova IPsec 4 Lx EN Release Notes for supported versions.
26 Mellanox Technologies Rev: 1.4
IPsec Offload Software Installation and Operation
5 IPsec Offload Software Installation and Operation
5.1
Installation of Kernel with IPsec Offload Module
5.1.1 Obtaining the Kernel Modules
The kernel modules described in Section 4.2, “IPsec Offload Kernel and Driver,” on page 24
are a part of a special Linux kernel installation bundle provided by Mellanox. The bundle includes latest kernel installation files and other related components:
• FPGA image bin file
• Kernel RPM files
• MFT tarball file
• Firmware bin files
• Example IPsec offload scripts
To download the bundle, please refer to: www.mellanox.com
=> Products => Programmable
Adapter Cards => Innova IPsec => FW & SW.
5.1.2 Installing the Kernel
and Driver
Please make sure that the latest FW, FPGA image and MFT versions are installed. Please refer to the Mellanox Innova IPsec 4 Lx EN Adapter Card Release Notes for the latest versions.
Once you have obtained the kernel RPM file, the file can be installed by performing the following steps:
1. Run: rpm -i kernel-<kernel_version>.rpm / rpm -i kernel-devel-<kernel_version>.rpm
2. Verify that the initial RAM disk image has been created: a. Run ls /boot/ and look for the relevant initramfs and vmlinuz files that match the kernel version you just installed (names should match the RPM name).
3. Open the /boot/grub/grub.conf file for editing (the boot menu configuration file) and add a new menu entry for the new installed kernel. Example of menu entry to be added (replace the vmlinuz and initramfs names with the new kernel file names and modify the entry title as desired): title upstream-4.7 rc5 for FPGA root (hd0,0) kernel /vmlinuz-4.7.0-rc5+ root=/dev/sda2 console=tty0 console=ttyS0,115200n8 rhgb initrd /initramfs-4.7.0-rc5+.img
Rev: 1.4
Mellanox Technologies 27
4. If using grub2, open the /boot/grub2/grub.cfg for editing and add a new menu entry for the new installed kernel. Example of menu entry to be added (replace the vmlinuz and initramfs names with the new kernel file names and modify the entry title as desired): menuentry 'Upstream 4.12.0-rc4+' --class rhel fedora --class gnu-linux --class gnu -class os --unrestricted $menuentry_id_option 'gnulinux-4.12.0-rc4+-advanced-2d912b91d2e5-44fd-8040' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' f663c5e3-1cbb-
4f88-b65e-f9848f1458c9
else
search --no-floppy --fs-uuid --set=root f663c5e3-1cbb-4f88-b65e-f9848f1458c9
fi
linux16 /vmlinuz-4.12.0-rc4+ root=/dev/sda2 console=tty0 control=ttyS0,115200n8 rhgb
initrd16 /initramfs-4.12.0-rc4+.img
}
5. Once the kernel installation is complete, reboot your system and select the relevant kernel to load from the grub menu.
6. Optional - It is also possible to change the default entry value to the index of the new entry
(the indexes are zero-based) so that the new kernel will be loaded by default. This is done by changing the index value next to the word “default” at the beginning of the grub.conf file. For grub2, you can use the command: grub2-set-default.
Note:
Note:
To confirm that the required kernel version is loaded, use the "uname -r" command. The output indicates the kernel version and name.
Installing the kernel modules will also install the following Mellanox device driver modules - mlx5_core and mlx5_ib.
5.1.3 Installing the Customized iproute2 Utility
The iproute2 is a user space utilities package that controls TCP/IP networking configuration in the kernel. It includes commands such as:
• ip: for management of network tables and network interfaces. It is also used to configure packet transformation policies and the security associations (SAs) attached to those policies. ip utility is used to set up IPsec policies on security associations.
Mellanox provides a customized iproute2 utility set which exposes new flags in the ip xfrm utility to allow the user control of the IPsec tunnel offload state. Those flags provide the option to enable offload for IPsec SAs.
1. Obtain the customized iproute2 RPM file by contacting Mellanox support (File Name: iproute2-<version>.x86_64.rpm )
28 Mellanox Technologies Rev: 1.4
IPsec Offload Software Installation and Operation
2. Install the utility using the following command: rpm -i --force iproute2-<version>.x86_64.rpm
Once the installation is complete, you will have the modified iproute2 utility that supports the
IPsec offload flags installed in your system.
Note:
There are several additional user space applications that provide an interface to configure
IPsec policies and SAs (Strongswan, Libreswan and more). Please refer to the release notes of the above mentioned user space applications for IPsec offload support.
5.2
Installation via MLNX_OFED
Please note that currently none of the MLNX_OFED packages available on http://www.mellanox.com
provide support for Innova IPsec 4 Lx EN adapter card. For IPsec offload software installation, please refer to
Section 5.1, “Installation of Kernel with IPsec Offload Module,” on page 27
5.3
Operating the IPsec Offload
5.3.1 Loading/Unloading the Module
5.3.1.1 Automatic Load
The Innova IPsec Ethernet driver, mlx5_core, is loaded automatically by the kernel when an
Innova IPsec card is installed.
5.3.1.2 Manual Load/Unload
1. Load/unload mlx5_core using one of the following commands: insmod mlx5_core modprobe mlx5_core rmmod mlx5_core(unload command)
Note:
Unloading the IPsec offload module while there are active IPsec offloaded connections is not supported and the result is undefined. For proper and stable operation of the HW and
SW, the offloaded IPsec connection must be terminated via the proper utility before module unload. It is recommended to flush the existing IPsec XFRM states before restarting the mlx5_core module in case there are offloaded security associations. It can be done by running the following command: ip xfrm state flush; ip xfrm pol flush.
5.3.2 Setting up an Offloaded IPsec Connection
IPsec secured connection can be opened through the iproute2 utility. For offload support, please use the iproute2 version that is modified and supplied by Mellanox (see
Section 5.1.3, “Installing the Customized iproute2 Utility,” on page 28 ).
In order to configure an IPsec secured connection between hosts, it is necessary to:
Rev: 1.4
Mellanox Technologies 29
1. Configure the security association (SA) intended for use, with its relevant parameters (such as: crypto algorithm, key length, ESP mode, the SA ID, traffic direction of th SA and more).
2. Configure the xfrm policy which defines the type of traffic that will undergo encryption or decryption. It also sets the tunnel IP addresses which encapsulate the packet when working in
ESP tunnel mode.
The following example shows how to configure a host (one side of an IPsec connection) with an offloaded IPsec tunnel using the iproute2 utility. In this example, the tunnel is set in IPv4 mode with AES-GCM128 crypto algorithm. The keys are added manually.
1. Set the egress traffic security parameters: ip xfrm state add src
1
192.168.7.2 dst
2
192.168.7.9 proto esp spi
3
0x4c250336 reqid
4
0x4c250336 mode tunnel aead 'rfc4106(gcm(aes))'
0x44e6625f4d2fb01b03cc9baefe9b5c8de9d7b9c1
5
128 offload dev ens8
6
dir out
7
2. Set the ingress traffic security parameters: ip xfrm state add src
8
192.168.7.9 dst
9
192.168.7.2 proto esp spi
10
0x0f2e596c reqid 0x0f2e596c mode tunnel aead 'rfc4106(gcm(aes))'
0x44e6625f4d2fb01b03cc9baefe9b5c8de9d7b9c1
11
128 offload dev ens8 dir in
12
Note: offload dev ens8 dir out and offload dev ens8 dir in are the new flags which instruct the iproute2 utility to enable HW offload for the specified security policy.
3. Apply the new egress traffic security policy: ip xfrm policy add src 192.168.7.2 dst
13
192.168.7.9 dir out tmpl
14
src 192.168.7.2 dst
15
192.168.7.9 proto esp reqid 0x4c250336
mode tunnel
4. Apply the new ingress traffic security policy: ip xfrm policy add src 192.168.7.9 dst
192.168.7.2 dir in tmpl src 192.168.7.9 dst 192.168.7.2 proto esp reqid 0x0f2e596c mode tun-
nel
Note:
The above example shows how to configure a host on one side of the IPsec secured connection. The peer host must undergo the same flow listed above only with the traffic directions inverted. That is, the settings of the egress traffic in this example are the settings of the ingress traffic for the peer host.
1. The IP addresses of the src host of the egress traffic. Modify it with your own relevant addresses.
2. The IP addresses of the destination host of the egress traffic. Modify it with your own relevant addresses.
3. SPI value for egress traffic - add your own desired value.
4. SA request id - this ID is used as a reference to the new SA (for modification, destruction, attaching to a policy). Any number can be chosen here.
5. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the encryption of the egress traffic.
6. The relevant network interface name - replace with your own.
7. out/in - traffic direction of this IPsec tunnel setting.
8. The IP addresses of the src host of the ingress traffic. Modify it with your own relevant addresses.
9. The IP addresses of the destination host of the ingress traffic. Modify it with your own relevant addresses.
10. SPI value for ingress traffic - add your own desired value.
11. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the decryption of the ingress traffic. This traffic key does not have to be similar to the egress traffic key.
12. out/in - traffic direction of this IPsec tunnel setting.
13. The IP addresses of the inner (original) packet to undergo transformation and tunnel encapsulation.
14. Indicates that we are about to define the template of the outer IP header of our tunnel.
15. The tunnel source and destination IP addresses - can be different than the inner packet IP address.
30 Mellanox Technologies Rev: 1.4
IPsec Offload Software Installation and Operation
Once configured, the existing xfrm states (SAs) and policies can be seen using the following commands:
1. ip xfrm state - to view all the xfrm states in the kernel.
2. ip xfrm pol - to view all the xfrm policies in the kernel.
When viewing the xfrm states in the system, the flag dir in/dir out (depending on the traffic direction of the state), under the “crypto offload parameters” section, will indicate that this state is offloaded by an offload device. If these flags are not present, it indicates that encryption/decryption is not offloaded for this xfrm state and remains within the Kernel scope.
5.3.3 Destroying IPsec Tunnels
The process of destroying an offloaded IPsec tunnel remains unchanged and is similar to the destruction of a non-offloaded tunnel using the iproute2 “ip” utility.
It is required to close both the xfrm policies and the xfrm states to completely terminate a session.
A complete flush of all the policies and states can be done with the following commands:
1. ip xfrm state flush
2. ip xfrm pol flush
To delete a specific xfrm policy use the “ip xfrm policy delete <policy parameters>” command.
To delete a specific xfrm state use the “ip xfrm state delete <state parameters>” command.
When flushing all xfrm states, the flow cache is flushed automatically, so this additional operation is not required.
5.3.4 IPsec Offload Statistics
The FPGA contains several counters which provide information and statistics on the offload operation.
These counters are a part of the network interface counters and can be viewed using the ethtool
-S <interface_name> command.
Note:
The mlx5_core module must be loaded for the counters to appear in ethtool.
Table 5 - ethtool IPsec Offload Counters
Name Description
ipsec_dec_in_packets Total packets received for decryption by FPGA.
ipsec_dec_out_packets Number of packets that were received for decryption, decrypted and successfully authenticated by FPGA.
ipsec_dec_bypass_packets
Number of packets that were bypassed by FPGA in decryption direction.
Rev: 1.4
Mellanox Technologies 31
Table 5 - ethtool IPsec Offload Counters
Name Description
ipsec_enc_out_packets Number of packets that were received for encryption, encrypted and successfully authenticated by FPGA.
ipsec_enc_bypass_packets
Number of packets that were bypassed by FPGA in encryption direction.
ipsec_dec_drop_packets Number of packets dropped by decryption engine. This can be as a result of having inband metadata in packet or corrupted decryption. ipsec_dec_auth_fail_packets
Number of packets dropped by decryption engine due to authentication issue.
ipsec_enc_drop_packets Number of packets dropped by encryption engine. This can be as a result of more VLAN tags than the number supported by FPGA, having inband metadata or miss in
SADB. ipsec_add_sa_success Total amount of SAs successfully added by FPGA.
ipsec_add_sa_fail Total amount of failed SA add commands by FPGA. This can be a result of adding an already valid SA. ipsec_del_sa_success ipsec_del_sa_fail ipsec_cmd_drop
Total amount of SAs successfully removed by FPGA.
Total amount of failed SA remove commands by FPGA.
This can be a result of remove command on invalid SA.
Total amount of failed commands. This can be a result of failure to parse command.
32 Mellanox Technologies Rev: 1.4
mlx_fpga Tool
6 mlx_fpga Tool
mlx_fpga tool allows the user to burn and update a new FPGA image on Innova IPsec adapter card. The tool also enables the user to read/write individual registers in the FPGA configuration space.
6.1
Tool Requirements
• Innova IPsec 4 Lx EN adapter card with an FPGA device
• Download MFT via: www.mellanox.com
=> Products => Programmable Adapter Cards
=> Innova IPsec => FW & SW. For supported MFT version, please refer to Mellanox
Innova IPsec 4 Lx EN Release Notes.
• Extract the TGZ and run - install.sh
• Load mlx5_fpga_tools module. See Section 4.2.2, “mlx5_fpga_tools Module,” on page 25
.
• Start mst service with the fpga lookup flag (mst start --with_fpga)
6.2
mlx_fpga Synopsis
# mlx_fpga [-d <device> ] < read <addr> | write <addr> <value> | b <image path> | clear_semaphore
| reset | load | query where:
-d|--device <device>
-v|--version
-h|--help r |read <addr> w |write <addr> <data> b |burn <bin> l |load clear_semaphore reset q |query
FPGA mst device interface
Display version info
Display help message
Read debug register in address
Write data to debug register in address
Burn image on flash
Load image from flash (--factory - load image from factory flash)
Unlock flash controller semaphore
Reset FPGA (--fpga)
Query general FPGA information
Rev: 1.4
Mellanox Technologies 33
6.3
Examples of mlx_fpga Usage
6.3.1 Adding FPGA mst Device Interface
apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status
MST modules:
------------
MST PCI module is not loaded
MST PCI configuration module is not loaded
MST devices:
------------
No MST devices were found nor MST modules were loaded.
You may need to run 'mst start' to load MST modules.
FPGA devices:
-------------------
/dev/mst/mt4117_pciconf0_fpga_i2c
/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the “fast path” to the FPGA. I2C is used for recovery purposes when RDMA is not functional.
6.3.1.1 Burning the FPGA’s Flash Device Using the mlx_fpga Burning Tool
mlx_fpga tool burns a .bin file onto the FPGA flash device.
It is recommended to burn the FPGA device using an RDMA device as it uses the “fast path” to the FPGA thus minimizing the burning time.
Step 1.
Burn the image.
# mlx_fpga -d <device> burn image.bin
Step 2.
Load the FPGA image from flash according to Section 6.3.1.2, “Loading Tool,” on page 34
or power cycle the machine for change to take effect.
6.3.1.2 Loading Tool
• Load an FPGA image from user configurable flash:
# mlx_fpga -d <device> l/load <optional: load options> where
<optional: load options>
is:
--factory
--user
Load FPGA image from factory flash
Load FPGA image from user flash [default option]
34 Mellanox Technologies Rev: 1.4
mlx_fpga Tool
6.3.1.3 Debugging Tool
• Reading One Debug Register:
# mlx_fpga -d <device> read 0x0
• Writing One Debug Register:
# mlx_fpga -d <device> write 0x0 0x0
6.3.1.4 Update FPGA Image
In order to verify the new image burned to the FPGA, the user can use mlx_fpga tool to read the following registers:
Name
image_version image_date image_time
Address
0x900000
0x900004
0x900008
Range
31:00:00
31:00:00
31:00:00
Default
0x0
0x0
0x0
RW
RO
RO
RO
Description
Version of the image
Image date of creation. The hex number is actually the decimal value, i.e. 0x12011995 means 12/01/1995 in DD/MM/
YY: bits [31:24] = day of creation bits [23:16] = month of creation bits [15:0] = year of creation
Image time of creation. The hex number is actually the decimal value, i.e. 0x00015324 means 01:53:24 in
HH:MM:SS: bits [23:16] = hour (00..23) bits [15:8] = minutes (00..59) bits [7:0] = seconds (00..59)
Rev: 1.4
Mellanox Technologies 35
7 Updating Innova IPsec Adapter Card Firmware
This section applies only when updating the ConnectX-4 Lx firmware. In order to burn and update the FPGA image, please refer to
Chapter 6,“mlx_fpga Tool” on page 33.
Each card is shipped with the latest version of qualified ConnectX-4 Lx firmware at the time of manufacturing. However, Mellanox issues firmware updates occasionally. Please contact Mellanox for the correct Firmware version.
Firmware can be updated on the stand-alone single card using the flint tool of the Mellanox
Firmware Tools (MFT) package. Please contact Mellanox for the correct MFT package.
The following steps describe how to retrieve the PSID (firmware identification) and programmed firmware version of your adapter card. They also describe how to update the card with the latest firmware version available.
1. Retrieve the PSID and firmware version: a. Install the MFT package. b. Enter: mst start.
c. Get the Mellanox mst device name using the command "mst status". The mst device name will be of the form: /dev/mst/mt4117_pciconf0.
d. Get the PSID (firmware identification) and programmed firmware version using the command ' flint -d <mst device> q', where <mst device> is the device retrieved in step c.
The shown versions and/or parameter values in the example below may not reflect the latest or actual values for this product, and are included here for illustration purposes only.
> flint -d /dev/mst/mt4117_pci_cr0 q
Image type: ConnectX-4 Lx
FW Version: 14.12.1000
Device ID: 4117
Chip Revision: 0
Description: Node Port1 Port2
Sys image
GUIDs: 000002c900000200 000002c900000201 000002c900000202
000002c900000203
MACs:
000002c90200 000002c90201
Board ID: (MT_2410110034MT_2490110032)
VSD:
PSID: MT_2410110034MT_2490110032
2. To burn the new FW image to ConnectX-4 Lx flash: a. Install mst package and start mst as in section 1 above
36 Mellanox Technologies Rev: 1.4
b. To burn the firmware, run: mlxburn -d /dev/mst/mt4117_pciconf0 -i <fw.bin> c. To load the firmware, run: mlxfwreset -d /dev/mst/mt4117_pciconf0 reset -y
Updating Innova IPsec Adapter Card Firmware
Rev: 1.4
Mellanox Technologies 37
8 Troubleshooting
8.1
General
Server unable to find the adapter
The adapter no longer works
Adapters stopped working after installing another adapter
Link indicator light is off
Link light is on, but with no communication established
FPGA not found on mst status
• Ensure that the adapter is placed correctly
• Make sure the adapter slot and the adapter are compatible
• Install the adapter in a different PCI Express slot
• Use the drivers that came with the adapter or download the latest
• Make sure your motherboard has the latest BIOS
• Try to reboot the server
• Reseat the adapter in its slot or a different slot, if necessary
• Try using another cable
• Reinstall the drivers for the network driver files may be damaged or deleted
• Reboot the server
• Try removing and re-installing all adapters
• Check that cables are connected properly
• Make sure your motherboard has the latest BIOS
• Ensure that adapter driver/s is loaded
• Try another port on the switch
• Make sure the cable is securely attached
• Check you are using the proper cables that do not exceed the recommended lengths
• Verify that your switch and adapter port are compatible
• Check that the latest driver is loaded
• Check that both the adapter and its link are set to the same speed and duplex settings
• Verify the Innova IPsec kernel is loaded
• Load mlx5_fpga_tools module
• Start mlx_fpga tool uname -r modprobe mlx5_fpga_tools mst start --with_fpga mst status
38 Mellanox Technologies Rev: 1.4
8.2
Linux
Environment
Information
Card Detection
cat/etc/issue uname –a cat/proc/cupinfo | grep ‘model name’ | uniq ofed_info | head -1 ifconfig –a ethtool <interface> ethtool –i <interface_of_Mellanox_port_num> ibdev2netdev lspci | grep –i Mellanox
Download and install MFT: http://www.mellanox.com/content/pages.php?pg=management_tools&menu_section=34
Refer to the User Manual for installation instructions.
Mellanox Firmware Tool
(MFT)
Ports Information
Firmware Version
Upgrade
Collect Log File
Once installed, run: mst start mst status flint –d <mst_device> q ibstat lbv_devinfo
To download the latest firmware version refer to http://www.mellanox.com/supportdownloader
/var/log/messages dmesg > system.logF
Troubleshooting
Rev: 1.4
Mellanox Technologies 39
9 Specifications
9.1
MNV101511A-BCIT Specifications
Table 6 - MNV101511A-BCIT Specifications Table
Physical
Size: 2.7 in. x 6.6 in. (68.9 mm x167.65 mm)
Connector: Single QSFP (Copper and optical)
Protocol Support
Ethernet: 40GBASE-CR4, 40GBASE-KR4, 40GBASE-SR4, 40GBASE-ER4,
40GBASE-R2, 10GBASE-SR, 10GBASE-LR,10GBASE-ER, 10GBASE-CR,
10GBASE-KR
Data Rate: 10/40Gb/s – Ethernet
PCI Express Gen3: SERDES @ 8.0GT/s, 8 lanes (2.0 and 1.1 compatible)
Voltage: 3.3Vaux, 12V
Typ Power: Passive Cables: 18W
Power and
Environmental
Max Power: Passive Cables: less than 20.2W
1.5W Active Cables: 22W
Max power available through QSFP port: 1.5W
Temperature: Operational 0°C to 55°C a
Non-operational -40°C to 70°C
Humidity: 90% relative humidity b
Regulatory
Cable Support
Air Flow
cd
: 450LFM at 45°C
750 LFM at 55°C
Safety: IEC/EN 60950-1:2006
ETSI EN 300 019-2-2
IEC 60068-2- 64, 29, 32
RoHS: RoHS-R6
Please refer to http://www.mellanox.com/products/interconnect/cables-configurator.php
a. Ambient temperature may vary. Please contact Mellanox technical support if further assistance is needed.
b. For both operational and non-operational states.
c. Air flow is measured ~1” from the heat sink between the heat sink and the cooling air inlet.
d. Airflow requirements may vary according to ambient temperature and other parameters. Please contact
Mellanox technical support if further assistance is needed.
40 Mellanox Technologies Rev: 1.4
9.2
Innova IPsec 4 Lx EN LEDs
Figure 3: MNV101511A-BCIT LEDs Placement
1
(Example)
Specifications
Group A LEDs: Network LEDs - these LEDs indicate the network link status. See Section 9.2.1,
“Network LEDs Operation,” on page 42
for details.
Group B LEDs: Debug LEDs - indicate memory calibration done, memory BIST done, Con-
nectX-4 Lx link up is with traffic, Heartbeat and power good. See Section 9.2.2, “FPGA Debug
LEDs,” on page 43 for details.
Group C LEDs: FPGA load-flow Debug LEDs - see
Section 9.2.3, “FPGA Load-Flow Debug
1. The adapter card is shipped with the heat sink assembled.
Rev: 1.4
Mellanox Technologies 41
9.2.1 Network LEDs Operation
Table 7 - Physical and Logical Link Indications
LED Function
Amber - physical link • Constant on indicates a good physical link
• Blinking indicates a problem with the physical link
• If neither LED is lit, then the physical link has not been established
Green - logical (data activity) link
• Constant on indicates a valid logical (data activity) link without data transfer.
• Blinking indicates a valid logical link with data transfer
• If only the green LED is lit and the Amber LED is off, then the logical link has not been established
LED Symbol
D1
42 Mellanox Technologies Rev: 1.4
9.2.2 FPGA Debug LEDs
Note:
D2-D9 are the “symbols” of these LEDs as printed on the board.
Table 8 - FPGA Debug LEDs
LED Symbols
D2
D3
D4
D5
D6
D7
D8
D9
LED Function
Power Good - Or on all POWER-GOOD inputs. Expected
LED ON.
Clock - the LED starts blinking once out of reset and the clock is running. Expected blinking LED 1Hz.
DDR Calibration DONE - the LED will be ON after powerup, if DDR calibration is successful.
DDR BIST Passed - DDR Built In Test runs once after power-up. LED will turn on if test passes successfully.
ConnectX Port Ready - the LED will be ON when FPGA-
ConnectX link is up.
ConnectX Port Traffic - the LED will blink when there is
FPGA-ConnectX traffic (TX/SX).
Network Port Ready - the LED will be ON when FPGA-
Network link is up.
Network Port Traffic - the LED will blink when there is
FPGA-Network traffic (TX/SX).
9.2.3 FPGA Load-Flow Debug LEDs
Table 9 - FPGA Load-Flow Debug LEDs
LED
Green - power good
Off - power issue
Red - during configuration
Green - when complete
Red - factory default
Green - user image
LED Symbol and Function
D10 - Power Good
D11- Configuration Done Indication
D12 - Configuration Image Selection
Specifications
Rev: 1.4
Mellanox Technologies 43
9.3
Board Mechanical Drawing and Dimensions
All dimensions are in millimeters.
All the mechanical tolerances are +/- 0.1mm.
Figure 4: Mechanical Drawing of the MNV101511A-BCIT Innova IPsec Adapter Card
167.65
68.9
44 Mellanox Technologies Rev: 1.4
9.4
Bracket Mechanical Drawing
Figure 5: Single-Port Tall Bracket
21.6
Specifications
120.02
Rev: 1.4
Mellanox Technologies 45
Figure 6: Single-Port Short Bracket
22.83
80.3
46 Mellanox Technologies Rev: 1.4
Appendix A: Fast Installation and Update
A.1
Hardware Installation
1. Shut down your system if active.
2. After shutting down the system, turn off power and unplug the cord.
3. Place the adapter in a standard PCI Express slot.
For further details, please refer to
Chapter 3,“Hardware Installation” on page 19.
A.2
Content of Innova IPsec Bundle
Mellanox provides an IPsec bundle which includes the following:
• FPGA image bin file
• Kernel RPM files
• MFT tarball file
• Firmware bin files
• Offload scripts (xfrm, iproute)
A.3
Software, Firmware and Tools Installation
The following instructions apply to installation only. If the bundle is already installed, please refer to
Appendix A.4, “Software, Firmware and Tools Update,” on page 48
.
Please make sure to install in the following order:
Step 1.
Step 1.
Step 2.
Download the bundle from www.mellanox.com
=> Products => Programmable Adapter
Cards => Innova IPsec => FW & SW. Each card is shipped with the latest version of the qualified FPGA image and firmware at the time of manufacturing. Please download the
Innova IPsec bundle that matches the FPGA image burned on your card.
To install the kernel:
Step 1.
Locate the RPM files in the Kernel folder:
• rpm -i kernel-<kernel_version>.rpm
• rpm -i kernel-devel-<kernel_version>.rpm
Step 2.
Reboot your system and select the relevant kernel to load from the grub menu.
To install MFT:
Untar the MFT tar file.
Install MFT by running: install.sh
Step 3.
Start MFT:
Step a.
modprobe mlx5_fpga_tools
Step b.
mst start --with_fpga
Rev: 1.4
Mellanox Technologies 47
Step c.
mst status apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status
MST modules:
------------
MST PCI module is not loaded
MST PCI configuration module is not loaded
MST devices:
------------
No MST devices were found nor MST modules were loaded.
You may need to run 'mst start' to load MST modules.
FPGA devices:
-------------------
/dev/mst/mt4117_pciconf0_fpga_i2c
/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the fast path to the FPGA. I2C is used for recovery purposes when RDMA is not functional.
In case the FPGA image does not match the new bundle, the user must first downgrade the kernel, MFT and FW to the ones matching the FPGA image, update the image and only then upgrade the other components, as described in
Appendix A.4, “Software, Firmware and Tools
.
A.4
Software, Firmware and Tools Update
In order to update FPGA image, all other components (kernel/MFT/FW) MUST match the same release. Please follow the exact order of the following steps where FPGA image update is first,
FW is second, kernel is third and MFT is last.
Step 1.
To download the bundle, please refer to www.mellanox.com
=> Products => Programmable
Adapter Cards => Innova IPsec => FW & SW
To update the FPGA image:
Step 1.
Locate the FPGA image bin file in the Images folder.
48 Mellanox Technologies Rev: 1.4
Step 2.
Find the device installed.
Rev: 1.4
Step 3.
Step 3.
Burn the FPGA image: mlx_fpga -d /dev/mst/mt4117_pciconf0_fpga_rdma burn <fpga_image.bin>
For further details, please refer to
Chapter 6,“mlx_fpga Tool” on page 33
To burn the latest Firmware:
Step 1.
Step 2.
Locate the firmware bin file in FW folder:
Burn the firmware: mlxburn -d /dev/mst/mt4117_pciconf0 -i <fw.bin>
To load the firmware:
Step 1.
mlxfwreset -d /dev/mst/mt4117_pciconf0 reset -y
For further details, please refer to
Chapter 7,“Updating Innova IPsec Adapter Card Firmware” on page 36
.
To install the most updated kernel:
Locate the RPM files in the Kernel folder:
• rpm -i kernel-<kernel_version>.rpm
• rpm -i kernel-devel-<kernel_version>.rpm
Reboot your system and select the relevant kernel to load from the grub menu.
Step 2.
For further details, please refer to
Chapter 5,“IPsec Offload Software Installation and Operation” on page 27.
Mellanox Technologies 49
To update MFT:
Step 1.
Untar the MFT tar file.
Step 2.
Install MFT by running: install.sh
Step 3.
Start MFT:
Step a.
modprobe mlx5_fpga_tools
Step b.
mst start --with_fpga
Step c.
mst status apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status
MST modules:
------------
MST PCI module is not loaded
MST PCI configuration module is not loaded
MST devices:
------------
No MST devices were found nor MST modules were loaded.
You may need to run 'mst start' to load MST modules.
FPGA devices:
-------------------
/dev/mst/mt4117_pciconf0_fpga_i2c
/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the fast path to the FPGA. I2C is used for recovery purposes when RDMA is not functional.
50 Mellanox Technologies Rev: 1.4
Appendix B: Interface Connectors Pinout
B.1
QSFP Connector Pinout
Figure 7: Connector and Cage Views
Rev: 1.4
Table 10 - Connector Pin Number and Name to Signal Name Map
Connector Pin Number Connector Pin Name
1
2
3
4
5
6
7
8
9
10
GND
TXN_2
TXP_2
GND
TXN_4
TXP_4
GND
ModSelL_Port0
ResetL_Port0
Port A Signal Name
GND
Tx2n
Tx2p
GND
Tx4n
Tx4p
GND
ModSelL
ResetL
VccRx
Mellanox Technologies 51
Table 10 - Connector Pin Number and Name to Signal Name Map
31
32
33
34
27
28
29
30
35
36
37
38
23
24
25
26
19
20
21
22
15
16
17
18
11
12
13
14
Connector Pin Number Connector Pin Name
SCL
SDA
GND
RXP_3
RXN_3
GND
RXP_1
RXN_1
GND
GND
RXN_2
RXP_2
GND
RXN_4
RXP_4
GND
ModPrsl_Port0
IntL
LPMode_Port0
GND
TXP_3
TXN_3
GND
TXP_1
TXN_1
GND
Port A Signal Name
Mod PrsL
IntL
VccTx
Vcc1
LPMode
GND
Tx3p
Tx3n
GND
Tx1p
Tx1n
GND
GND
GND
Rx2n
Rx2p
GND
Rx4n
Rx4p
GND
SCL
SDA
GND
Rx3p
Rx3n
GND
Rx1p
Rx1n
52 Mellanox Technologies Rev: 1.4
B.2
PCI Express x8 Connector Pinout
The adapter cards use a standard PCI Express x8 edge connector and the PCI Express x8 standard pinout according to the PCI Express 3.0 specification.
Figure 8: PCIe x8 Connector Pinout
Rev: 1.4
Mellanox Technologies 53
B.3
I
2
C-compatible Connector Pinout
Figure 9: Compatible Connector Plug and Pinout
Connector Pin
Number
1
2
3
Signal Name
GND
SCL
SDA
54 Mellanox Technologies Rev: 1.4
Appendix C: Finding the MAC and Serial Number on the
Adapter Card
Each Mellanox adapter card has a different identifier printed on the label: serial number, and the card MAC for the Ethernet protocol.
The revision indicated on the labels in the following figures do not necessarily represent the latest revision of the card.
Figure 10: MNV101511A-BCIT Board Label
Rev: 1.4
Mellanox Technologies 55
Appendix D: Safety Warnings
1. Installation Instructions
Read all installation instructions before connecting the equipment to the power source.
2. Over-temperature
This equipment should not be operated in an area with an ambient temperature exceeding the maximum recommended: 55°C (131°F).
To guarantee proper air flow, allow at least 8cm (3 inches) of clearance around the ventilation openings.
3. During Lightning - Electrical Hazard
During periods of lightning activity, do not work on the equipment or connect or disconnect cables.
4. Copper Cable Connecting/Disconnecting
Some copper cables are heavy and not flexible, as such they should be carefully attached to or detached from the connectors. Refer to the cable manufacturer for special warnings and instructions.
5. Equipment Installation
This equipment should be installed, replaced, or serviced only by trained and qualified personnel.
6. Equipment Disposal
Disposal of this equipment should be in accordance to all national laws and regulations.
7. Local and National Electrical Codes
This equipment should be installed in compliance with local and national electrical codes.
56 Mellanox Technologies Rev 2.4
8. Hazardous Radiation Exposure
Caution – Use of controls or adjustment or performance of procedures other than those specified herein may result in hazardous radiation exposure.
CLASS 1 LASER PRODUCT and reference to the most recent laser standards:
IEC 60 825-1:1993 + A1:1997 + A2:2001 and EN 60825-1:1994+A1:1996+
A2:20.
Rev 2.4
Mellanox Technologies 57
Appendix E: Avertissements de sécurité d’installation (Warnings in French)
1. Instructions d’installation
Lisez toutes les instructions d’installation avant de brancher le matériel à la source d’alimentation électrique.
2. Température excessive
Ce matériel ne doit pas fonctionner dans une zone avec une température ambiante dépassant le maximum recommandé de 55°C (131°F). Un flux d’air de 200LFM à cette température ambiante maximale est nécessaire. En outre, pour garantir un bon
écoulement de l’air, laissez au moins 8 cm (3 pouces) d’espace libre autour des ouvertures de ventilation.
3. Orages – dangers électriques
Pendant un orage, il ne faut pas utiliser le matériel et il ne faut pas brancher ou débrancher les câbles.
4. Branchement/débranchement des câbles en cuivre
Les câbles en cuivre sont lourds et ne sont pas flexibles, il faut donc faire très attention en les branchant et en les débranchant des connecteurs. Consultez le fabricant des câbles pour connaître les mises en garde et les instructions spéciales.
5. Installation du matériel
Ce matériel ne doit être installé, remplacé ou entretenu que par du personnel formé et qualifié.
6. Elimination du matériel
L’élimination de ce matériel doit s’effectuer dans le respect de toutes les législations et réglementations nationales en vigueur.
7. Codes électriques locaux et nationaux
Ce matériel doit être installé dans le respect des codes électriques locaux et nationaux.
58 Mellanox Technologies Rev 2.4
8. Exposition au rayonnement grave
Mise en garde – l'utilisation de commandes ou de réglages ou l'exécution de procédures autres que ce qui est spécifié dans les présentes peut engendrer une exposition au rayonnement grave.
PRODUIT LASER DE CLASSE 1 » et références aux normes laser les plus récentes CEI 60 825-1
Rev 2.4
Mellanox Technologies 59
Appendix F: Sicherheitshinweise (Warnings in German)
1. Installationsanleitungen
Lesen Sie alle Installationsanleitungen, bevor Sie das Gerät an die Stromversorgung anschließen.
2. Übertemperatur
Dieses Gerät sollte nicht in einem Bereich mit einer Umgebungstemperatur über der maximal empfohlenen Temperatur von 55°C (131°F) betrieben werden. Es ist ein Luftstrom von 200 LFM bei maximaler Umgebungstemperatur erforderlich. Außerdem sollten mindestens 8 cm (3 in.) Freiraum um die Belüftungsöffnungen sein, um einen einwandfreien Luftstrom zu gewährleisten.
3. Bei Gewitter - Elektrische Gefahr
Arbeiten Sie während eines Gewitters und Blitzschlag nicht am Gerät, schließen Sie keine Kabel an oder ab.
4. Anschließen/Trennen von -Kupferkabel
Kupferkabel sind schwer und nicht flexible. Deshalb müssen sie vorsichtig an die
Anschlüsse angebracht bzw. davon getrennt werden. Lesen Sie die speziellen Warnungen und Anleitungen des Kabelherstellers.
5. Geräteinstallation
Diese Gerät sollte nur von geschultem und qualifiziertem Personal installiert, ausgetauscht oder gewartet werden.
6. Geräteentsorgung
Die Entsorgung dieses Geräts sollte unter Beachtung aller nationalen Gesetze Bestimmungen erfolgen.
7. Regionale und nationale elektrische Bestimmungen t
Dieses Gerät sollte unter Beachtung der regionalen und nationalen elektrischen Bestimmungen installiert werden.
60 Mellanox Technologies Rev 2.4
8. Strahlenkontak
Achtung – Nutzung von Steuerungen oder Einstellungen oder Ausführung von
Prozeduren, die hier nicht spezifiziert sind, kann zu gefährlichem Strahlenkontakt führen.
Klasse 1 Laserprodukt und Referenzen zu den aktuellsten Lasterstandards :
ICE 60 825-1
Rev 2.4
Mellanox Technologies 61
Appendix G: Advertencias de seguridad para la instalación
(Warnings in Spanish)
1. Instrucciones de instalación
Antes de conectar el equipo a la fuente de alimentación, leer todas las instrucciones de instalación.
2. Sobrecalentamiento
No se debe utilizar el equipo en un área con una temperatura ambiente superior a la máxima recomendada: 55°C(131°F). Además, para garantizar una circulación de aire adecuada, se debe dejar como mínimo un espacio de 8 cm (3 pulgadas) alrededor de las aberturas de ventilación.
3. Cuando hay rayos: peligro de descarga eléctrica
No utilizar el equipo ni conectar o desconectar cables durante períodos de actividad de rayos.
4. Conexión y desconexión del cable Copper
Dado que los cables de cobre son pesados y no son flexibles, su conexión a los conectores y su desconexión se deben efectuar con mucho cuidado. Para ver advertencias o instrucciones especiales, consultar al fabricante del cable.
5. Instalación de equipos
La instalación, el reemplazo y el mantenimiento de este equipo estarán a cargo únicamente de personal capacitado y competente.
6. Eliminación de equipos
La eliminación definitiva de este equipo se debe efectuar conforme a todas las leyes y reglamentaciones nacionales.
7. Códigos eléctricos locales y nacionales
Este equipo se debe instalar conforme a los códigos eléctricos locales y nacionales.
62 Mellanox Technologies Rev 2.4
8. Exposición a niveles de radiación peligrosos
Precaución: el uso de controles o ajustes o la realización de procedimientos distintos de los que aquí se especifican podrían causar exposición a niveles de radiación peligrosos.
PRODUCTO LÁSER DE CLASE 1 y referencia a las normas de láser más recientes:
IEC 60825-1
Rev 2.4
Mellanox Technologies 63
advertisement
Key Features
- 10/40 Gigabit Ethernet
- IPsec Offload
- Overlay Networks
- RDMA and RDMA over Converged Ethernet (RoCE)
- Mellanox PeerDirect™
- CPU offload
- Hardware-based I/O
- Virtualization
- Storage Acceleration
- Distributed RAID
Frequently Answers and Questions
What are the system requirements for Innova IPsec 4 Lx?
What operating systems/distributions are supported by the Innova IPsec 4 Lx?
What is the purpose of the Innova IPsec 4 Lx's on-board FPGA?
What are the benefits of using the Innova IPsec 4 Lx for IPsec offload?
What IPsec protocols and internet protocols are supported by the Innova IPsec 4 Lx?
Related manuals
advertisement
Table of contents
- 3 Table of Contents
- 7 List of Tables
- 9 List of Figures
- 10 Revision History
- 12 Chapter 1 Introduction
- 13 1.1 Product Overview
- 14 1.2 Features and Benefits
- 16 1.3 Block Diagram
- 16 1.4 Operating Systems/Distributions
- 17 1.5 Connectivity
- 17 1.6 Related Documents
- 18 Chapter 2 Interfaces
- 18 2.1 Ethernet QSFP Interface
- 18 2.2 PCI Express Interface
- 18 2.3 LED Interface
- 19 Chapter 3 Hardware Installation
- 19 3.1 System Requirements
- 19 3.1.1 Hardware
- 19 3.1.2 Operating Systems/Distributions
- 19 3.2 Safety Precautions
- 19 3.3 Pre-installation Checklist
- 19 3.4 Bracket Installation Instructions
- 20 3.4.1 Removing the Existing Bracket
- 20 3.4.2 Installing the New Bracket
- 20 3.5 Card Installation Instructions
- 21 3.6 Cables and Modules
- 21 3.6.1 Cable Installation
- 22 3.7 Identify the Card in Your System
- 23 Chapter 4 Innova IPsec Offload Overview
- 23 4.1 Security Engines and IPsec Protocols
- 24 4.1.1 Offloaded IPsec Protocols and Internet Protocols
- 24 4.1.1.1 IPsec Protocols
- 24 4.1.1.2 Internet Protocols
- 24 4.2 IPsec Offload Kernel and Driver
- 24 4.2.1 Innova IPsec Ethernet Driver Module
- 25 4.2.2 mlx5_fpga_tools Module
- 25 4.2.3 Key Generation and Exchange
- 26 4.3 IPsec Offload for DPDK Applications
- 27 Chapter 5 IPsec Offload Software Installation and Operation
- 27 5.1 Installation of Kernel with IPsec Offload Module
- 27 5.1.1 Obtaining the Kernel Modules
- 27 5.1.2 Installing the Kernel and Driver
- 28 5.1.3 Installing the Customized iproute2 Utility
- 29 5.2 Installation via MLNX_OFED
- 29 5.3 Operating the IPsec Offload
- 29 5.3.1 Loading/Unloading the Module
- 29 5.3.1.1 Automatic Load
- 29 5.3.1.2 Manual Load/Unload
- 29 5.3.2 Setting up an Offloaded IPsec Connection
- 31 5.3.3 Destroying IPsec Tunnels
- 31 5.3.4 IPsec Offload Statistics
- 33 Chapter 6 mlx_fpga Tool
- 33 6.1 Tool Requirements
- 33 6.2 mlx_fpga Synopsis
- 34 6.3 Examples of mlx_fpga Usage
- 34 6.3.1 Adding FPGA mst Device Interface
- 34 6.3.1.1 Burning the FPGA’s Flash Device Using the mlx_fpga Burning Tool
- 34 6.3.1.2 Loading Tool
- 35 6.3.1.3 Debugging Tool
- 35 6.3.1.4 Update FPGA Image
- 36 Chapter 7 Updating Innova IPsec Adapter Card Firmware
- 38 Chapter 8 Troubleshooting
- 38 8.1 General
- 39 8.2 Linux
- 40 Chapter 9 Specifications
- 40 9.1 MNV101511A-BCIT Specifications
- 41 9.2 Innova IPsec 4 Lx EN LEDs
- 42 9.2.1 Network LEDs Operation
- 43 9.2.2 FPGA Debug LEDs
- 43 9.2.3 FPGA Load-Flow Debug LEDs
- 44 9.3 Board Mechanical Drawing and Dimensions
- 45 9.4 Bracket Mechanical Drawing
- 47 Appendix A Fast Installation and Update
- 47 A.1 Hardware Installation
- 47 A.2 Content of Innova IPsec Bundle
- 47 A.3 Software, Firmware and Tools Installation
- 48 A.4 Software, Firmware and Tools Update
- 51 Appendix B Interface Connectors Pinout
- 51 B.1 QSFP Connector Pinout
- 53 B.2 PCI Express x8 Connector Pinout
- 54 B.3 I2C-compatible Connector Pinout
- 55 Appendix C Finding the MAC and Serial Number on the Adapter Card
- 56 Appendix D Safety Warnings
- 60 Appendix F Sicherheitshinweise (Warnings in German)