Mellanox Innova IPsec 4 Lx Ethernet Adapter Card User Manual

Mellanox Innova IPsec 4 Lx Ethernet Adapter Card User Manual
Add to My manuals

The Innova IPsec 4 Lx provides security acceleration for IPsec-enabled networks while taking advantage of the ConnectX-4 Lx Ethernet (EN) integrated circuit device’s best-in-class performance, unmatched scalability, and efficiency.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

Mellanox Innova IPsec 4 Lx Ethernet Adapter Card User Manual | Manualzz

Mellanox Innova™ IPsec 4 Lx

Ethernet Adapter Card User Manual

Rev 1.4

www.mellanox.com

Mellanox Technologies

NOTE:

THIS HARDWARE, SOFTWARE OR TEST SUITE PRODUCT (“PRODUCT (S)”) AND ITS RELATED

DOCUMENTATION ARE PROVIDED BY MELLANOX TECHNOLOGIES “AS-IS” WITH ALL FAULTS OF ANY

KIND AND SOLELY FOR THE PURPOSE OF AIDING THE CUSTOMER IN TESTING APPLICATIONS THAT

USE THE PRODUCTS IN DESIGNATED SOLUTIONS. THE CUSTOMER'S MANUFACTURING TEST

ENVIRONMENT HAS NOT MET THE STANDARDS SET BY MELLANOX TECHNOLOGIES TO FULLY

QUALIFY THE PRODUCT(S) AND/OR THE SYSTEM USING IT. THEREFORE, MELLANOX TECHNOLOGIES

CANNOT AND DOES NOT GUARANTEE OR WARRANT THAT THE PRODUCTS WILL OPERATE WITH THE

HIGHEST QUALITY. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT ARE DISCLAIMED. IN NO EVENT SHALL MELLANOX BE LIABLE TO CUSTOMER OR

ANY THIRD PARTIES FOR ANY DIRECT, INDIRECT, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

DAMAGES OF ANY KIND (INCLUDING, BUT NOT LIMITED TO, PAYMENT FOR PROCUREMENT OF

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT , STRICT LIABILITY,

OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY FROM THE USE OF THE

PRODUCT(S) AND RELATED DOCUMENTATION EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

Mellanox Technologies

350 Oakmead Parkway Suite 100

Sunnyvale, CA 94085

U.S.A.

www.mellanox.com

Tel: (408) 970-3400

Fax: (408) 970-3403

© Copyright 2017. Mellanox Technologies Ltd . All Rights Reserved .

Mellanox®, Mellanox logo, Accelio®, BridgeX®, CloudX logo, CompustorX®, Connect -IB®, ConnectX®,

CoolBox® , CORE-Direct® , EZchip®, EZchip logo, EZappliance®, EZdesign®, EZdriver®, EZsystem®,

GPUDirect®, InfiniHost®, InfiniBridge®, InfiniScale®, Kotura®, Kotura logo, Mellanox CloudRack® , Mellanox

CloudXMellanox® , Mellanox Federal Systems® , Mellanox HostDirect® , Mellanox Multi-Host® , Mellanox Open

Ethernet®, Mellanox OpenCloud® , Mellanox OpenCloud Logo® , Mellanox PeerDirect® , Mellanox ScalableHPC® ,

Mellanox StorageX® , Mellanox TuneX® , Mellanox Connect Accelerate Outperform logo , Mellanox Virtual Modular

Switch®, MetroDX®, MetroX®, MLNX-OS®, NP-1c®, NP-2®, NP-3®, Open Ethernet logo , PhyX®, PlatformX®,

PSIPHY®, SiPhy®, StoreX®, SwitchX®, Tilera®, Tilera logo, TestX®, TuneX®, The Generation of Open Ethernet logo, UFM®, Unbreakable Link® , Virtual Protocol Interconnect®, Voltaire® and Voltaire logo are registered trademarks of Mellanox Technologies , Ltd.

All other trademarks are property of their respective owners .

For the most updated list of Mellanox trademarks, visit http://www.mellanox.com/page/trademarks

Doc #: MLNX-15-50911 Mellanox Technologies 2

Table of Contents

Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.1 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2 Features and Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1.3 Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.4 Operating Systems/Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.5 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.6 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1 Ethernet QSFP Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.2 PCI Express Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.3 LED Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3 Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1.2 Operating Systems/Distributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.3 Pre-installation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4 Bracket Installation Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4.1 Removing the Existing Bracket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.4.2 Installing the New Bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.5 Card Installation Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3.6 Cables and Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.6.1 Cable Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.7 Identify the Card in Your System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 4 Innova IPsec Offload Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Security Engines and IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1.1 Offloaded IPsec Protocols and Internet Protocols . . . . . . . . . . . . . . . . . . . 24

4.1.1.1 IPsec Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.1.1.2 Internet Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2 IPsec Offload Kernel and Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Rev 1.4

Mellanox Technologies 3

4

4.2.1 Innova IPsec Ethernet Driver Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4.2.2 mlx5_fpga_tools Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.2.3 Key Generation and Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.3 IPsec Offload for DPDK Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 5 IPsec Offload Software Installation and Operation. . . . . . . . . . . . 27

5.1 Installation of Kernel with IPsec Offload Module . . . . . . . . . . . . . . . . . . . 27

5.1.1 Obtaining the Kernel Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.1.2 Installing the Kernel and Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.1.3 Installing the Customized iproute2 Utility . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.2 Installation via MLNX_OFED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3 Operating the IPsec Offload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1 Loading/Unloading the Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1.1 Automatic Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1.2 Manual Load/Unload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.2 Setting up an Offloaded IPsec Connection . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.3 Destroying IPsec Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.3.4 IPsec Offload Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 6 mlx_fpga Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

6.1 Tool Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

6.2 mlx_fpga Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

6.3 Examples of mlx_fpga Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6.3.1 Adding FPGA mst Device Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6.3.1.1 Burning the FPGA’s Flash Device Using the mlx_fpga Burning Tool . . . . 34

6.3.1.2 Loading Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6.3.1.3 Debugging Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

6.3.1.4 Update FPGA Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 7 Updating Innova IPsec Adapter Card Firmware. . . . . . . . . . . . . . . 36

Chapter 8 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

8.2 Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 9 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

9.1 MNV101511A-BCIT Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

9.2 Innova IPsec 4 Lx EN LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

9.2.1 Network LEDs Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

9.2.2 FPGA Debug LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

9.2.3 FPGA Load-Flow Debug LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

9.3 Board Mechanical Drawing and Dimensions . . . . . . . . . . . . . . . . . . . . . . . 44

9.4 Bracket Mechanical Drawing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Appendix A Fast Installation and Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

A.1 Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Mellanox Technologies Rev 1.4

A.2 Content of Innova IPsec Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

A.3 Software, Firmware and Tools Installation . . . . . . . . . . . . . . . . . . . . . . 47

A.4 Software, Firmware and Tools Update . . . . . . . . . . . . . . . . . . . . . . . . . 48

Appendix B Interface Connectors Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

B.1 QSFP Connector Pinout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

B.2 PCI Express x8 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

B.3 I2C-compatible Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Appendix C Finding the MAC and Serial Number on the Adapter Card . . . . 55

Appendix D Safety Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Appendix E Avertissements de sécurité d’installation (Warnings in French) 58

Appendix F Sicherheitshinweise (Warnings in German) . . . . . . . . . . . . . . . . 60

Appendix G Advertencias de seguridad para la instalación (Warnings in Spanish) 62

Rev 1.4

Mellanox Technologies 5

6 Mellanox Technologies Rev 1.4

List of Tables

Table 1: Revision History Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Table 2: Single-port Innova IPsec Adapter Cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Table 3: Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Table 4: Documents List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 5: ethtool IPsec Offload Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 6: MNV101511A-BCIT Specifications Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Table 7: Physical and Logical Link Indications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Table 8: FPGA Debug LEDs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Table 9:

FPGA Load-Flow Debug LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Rev 1.4

Mellanox Technologies 7

8 Mellanox Technologies Rev 1.4

List of Figures

Figure 1: Innova IPsec 4 Lx EN Adapter Card Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 2: IPsec Solution Layers and Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 3: MNV101511A-BCIT LEDs Placement (Example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 4: Mechanical Drawing of the MNV101511A-BCIT Innova IPsec Adapter Card . . . . . . . . . . 44

Figure 5: Single-Port Tall Bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 6: Single-Port Short Bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 7: Connector and Cage Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 8: PCIe x8 Connector Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Figure 9: Compatible Connector Plug and Pinout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Figure 10: MNV101511A-BCIT Board Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Rev 1.4

Mellanox Technologies 9

10

Revision History

This document was printed on June 20, 2017.

Table 1 - Revision History Table

Date

June 2017

Rev

1.4

January 2017 1.3

Comments/Changes

• Removed MCX4732A-BCIT from document

• Changed mlx_ipsec to mlx5_core

• Updated “memory” in Section 1.2, “Features and Benefits,” on page 14

• Updated

Section 4.2, “IPsec Offload Kernel and

Driver,” on page 24

• Updated

Section 4.3, “IPsec Offload for DPDK Applications,” on page 26

• Updated

Section 5.1, “Installation of Kernel with IPsec

Offload Module,” on page 27

• Updated

Section 5.3.1, “Loading/Unloading the Module,” on page 29

• Updated

Section 5.3.3, “Destroying IPsec Tunnels,” on page 31

• Updated

Section 6.2, “mlx_fpga Synopsis,” on page 33

• Updated

Table 6, “MNV101511A-BCIT Specifications

Table,” on page 40

• Added Appendix A.3, “Software, Firmware and Tools

Installation,” on page 47

• Updated

Appendix A.4, “Software, Firmware and Tools

Update,” on page 48

• Updated Section 5.1.1, “Obtaining the Kernel Modules,” on page 27

• Updated

Section 5.3.2, “Setting up an Offloaded IPsec

Connection,” on page 29

• Updated

Section 5.3.3, “Destroying IPsec Tunnels,” on page 31

• Updated

Section 6.1, “Tool Requirements,” on page 33

• Updated

Section 6.2, “mlx_fpga Synopsis,” on page 33

• Added Section 6.3.1.1, “Burning the FPGA’s Flash

Device Using the mlx_fpga Burning Tool,” on page 34

• Updated

Section 6.3.1.2, “Loading Tool,” on page 34

• Updated

Chapter 7,“Updating Innova IPsec Adapter

Card Firmware” on page 36

• Added Figure 6, “Single-Port Short Bracket,” on page 46

• Added Appendix A, “Fast Installation and Update,” on page 47

Mellanox Technologies Rev: 1.4

Rev: 1.4

Table 1 - Revision History Table

Date

September 2016

Rev

1.2

July 2016

April 2016

1.1

1.0

Comments/Changes

• Added MNV101511A-BCIT across document:

- Section 1.1, “Product Overview,” on page 13

- Section 9.1, “MNV101511A-BCIT Specifications,” on page 40

- Figure 3, “MNV101511A-BCIT LEDs Placement (Example),” on page 41

- Figure 4, “Mechanical Drawing of the MNV101511A-BCIT

Innova IPsec Adapter Card,” on page 44

• Added Chapter 5,“IPsec Offload Software Installation and Operation” on page 27

• Updated

Section 5.1.2, “Installing the Kernel and

Driver,” on page 27

• Updated

Section 5.3.1, “Loading/Unloading the Module,” on page 29

• Updated

Section 5.3.2, “Setting up an Offloaded IPsec

Connection,” on page 29

• Added Section 5.3.3, “Destroying IPsec Tunnels,” on page 31

• Removed Innova IPsec 4 Lx EN Card Drivers

• Updated

Chapter 6,“mlx_fpga Tool” on page 33

• Updated

Section 8.1, “General,” on page 38

• Updated

Section 9.1, “MNV101511A-BCIT Specifications,” on page 40

• Updated

Appendix C, “Finding the MAC and Serial

Number on the Adapter Card,” on page 55

• Changed mlx_accel_ipsec to mlx_ipsec.

• Added Section 4.2.2, “mlx5_fpga_tools Module,” on page 25

• Updated

Section 5.1.1, “Obtaining the Kernel Modules,” on page 27

• Updated

Section 5.1.2, “Installing the Kernel and

Driver,” on page 27

• Updated

Section 5.1.3, “Installing the Customized iproute2 Utility,” on page 28

• Added Section 5.3.4, “IPsec Offload Statistics,” on page 31

• Added “Update FPGA Image” on page 35

• Updated

Chapter 5.1,“Installation of Kernel with IPsec

Offload Module” on page 27

First Release

Mellanox Technologies 11

1 Introduction

This is the User Guide for Mellanox Technologies Innova IPsec adapter card based on the ConnectX ®-4 Lx Ethernet (EN) integrated circuit device with an on-board FPGA device.

The Mellanox Innova IPsec 4 Lx EN adapter card provides security acceleration for IPsecenabled networks while taking advantage of the ConnectX-4 Lx EN Network Controller’s bestin-class performance, unmatched scalability, and efficiency.

The constantly growing demand for security and privacy in modern data centers, private and public clouds, Web 2.0 infrastructure, and telecommunication systems, requires the use of security protocols. IPsec is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. However, the high computing power required by the IPsec algorithms consumes expensive CPU cycles and limits network connection performance.

The Mellanox Innova IPsec 4 Lx EN adapter offloads the processing of the IPsec algorithms, frees up the CPU, and eases network bottlenecks.

The adapter integrates advanced network capabilities and encryption offloading in one card, utilizing only a single PCIe slot for both networking and crypto functions.

The Mellanox Innova IPsec 4 Lx EN adapter also brings Innova IPsec 4 Lx’s industry leading technologies: hardware support for RDMA over Converged Ethernet, Ethernet stateless offload engines, overlay networks, GPUDirect® technologies, and more.

This chapter covers the following topics:

• Section 1.1, “Product Overview,” on page 13

• Section 1.2, “Features and Benefits,” on page 14

• Section 1.3, “Block Diagram,” on page 16

Section 1.4, “Operating Systems/Distributions,” on page 16

• Section 1.5, “Connectivity,” on page 17

• Section 1.6, “Related Documents,” on page 17

12 Mellanox Technologies Rev: 1.4

Introduction

1.1

Product Overview

The following section provides the ordering part number, port speed, number of ports, and PCI

Express speed.

Table 2 - Single-port Innova IPsec Adapter Cards

Ordering Part Number (OPN)

MNV101511A-BCIT - HHHL card with Xilinx Kintex®

UltraScale™ XCKU060

Ethernet: 10/40Gb/s

Data Transmission Rate

Single-port QSFP

Network Connector Types

PCI Express (PCIe) SerDes Speed

RoHS

Adapter IC Part Number

Device ID (decimal)

PCIe 3.0 x8 8GT/s

R6

MT27711A0-FDCF-BE

610

Rev: 1.4

Mellanox Technologies 13

1.2

Features and Benefits

Table 3 - Features a

PCI Express (PCIe)

Uses PCIe Gen 3.0 (1.1 and 2.0 compatible) through an x8 edge connector up to

8GT/s

10/40 Gigabit Ethernet

Memory

IPsec Offload

Overlay Networks

Mellanox adapters comply with the following IEEE 802.3* standards:

– IEEE Std 802.3ba 40 Gigabit Ethernet

– IEEE Std 802.3ae 10 Gigabit Ethernet

– IEEE Std 802.3ad, Link Aggregation

– IEEE Std 802.1Q, 1P VLAN tags and priority

– IEEE Std 802.1Qau Congestion Notification

– IEEE Std 802.1Qbg

_ IEEE P802.1Qaz D0.2 ETS

_ IEEE P802.1Qbb D1.0 Priority-based Flow Control

PCI Express - stores and accesses Ethernet fabric connection information and packet data

SPI - includes two SPI Flash devices:

• one 16MB SPI Flash device (W25Q128FVSIG by WINBOND-NUVOTON) for ConnectX-4 Lx device

• one 512Mb SPI flash (MT25QL512ABB8E12 by MICRON TECHNOL-

OGY) for the FPGA device

EEPROM - accessible through the I2C-compatible interface. The EEPROM capacity is 128Kb.

2GByte DDR4 - PC-1600MT/sec Soldered on board

The Innova IPsec adapter provides offloading of compute intensive encryption/ decryption and authentication algorithms, which are used by the IPsec protocol.

Support for Linux and Windows IPsec software interfaces ensures native integration with existing IPsec applications, with no required changes to the user’s software. IPsec offloading is handled by the combination of the ConnectX-4 Lx network controller and an on-board FPGA, providing high performance and flexibility for future enhancements and customizations. The FPGA is connected to the

ConnectX-4 Lx through a ‘bump-in-the-wire’ topology, hence encryption and decryption are performed inline with the network flow. This results in lower latency and additional savings of CPU resources compared to other IPsec protocol solutions, be it through software or alternative accelerators.

In order to better scale their networks, data center operators often create overlay networks that carry traffic from individual virtual machines over logical tunnels in encapsulated formats such as NVGRE and VXLAN. While this solves network scalability issues, it hides the TCP packet from the hardware offloading engines, placing higher loads on the host CPU. Innova IPsec adapter effectively addresses this by providing advanced NVGRE, VXLAN and GENEVE hardware offloading engines that encapsulate and de-capsulate the overlay protocol headers, enabling the traditional offloads to be performed on the encapsulated traffic for these and other tunneling protocols (GENEVE, MPLS, QinQ, and so on). With Innova

IPsec adapter, data center operators can achieve native performance in the new network architecture.

14 Mellanox Technologies Rev: 1.4

Introduction

Table 3 - Features a

RDMA and RDMA over

Converged Ethernet (RoCE)

Mellanox PeerDirect™

CPU offload

Quality of Service (QoS)

Hardware-based I/O

Virtualization

Storage Acceleration

Distributed RAID

Innova IPsec adapter supports RoCE specifications delivering low-latency and high- performance over Ethernet networks. Leveraging data center bridging

(DCB) capabilities as well as Innova IPsec adapter advanced congestion control hardware mechanisms, RoCE provides efficient low-latency RDMA services over

Layer 2 and Layer 3 networks.

PeerDirect™ communication provides high efficiency RDMA access by eliminating unnecessary internal data copies between components on the PCIe bus (for example, from GPU to CPU), and therefore significantly reduces application run time. Innova IPsec adapter advanced acceleration technology enables higher cluster efficiency and scalability to tens of thousands of nodes.

Adapter functionality enabling reduced CPU overhead allowing more available

CPU for computation tasks.

Support for port-based Quality of Service enabling various application requirements for latency and SLA

Innova IPsec adapter SR-IOV technology provides dedicated adapter resources and guaranteed isolation and protection for virtual machines (VMs) within the server. I/O virtualization with Innova IPsec adapter gives data center administrators better server utilization while reducing cost, power, and cable complexity, allowing more Virtual Machines and more tenants on the same hardware.

A consolidated compute and storage network achieves significant cost-performance advantages over multi-fabric networks. Standard block and file access protocols can leverage RDMA for high-performance storage access.

Innova IPsec adapter delivers advanced Erasure Coding offloading capability, enabling distributed Redundant Array of Inexpensive Disks (RAID), a data storage technology that combines multiple disk drive components into a logical unit for the purposes of data redundancy and performance improvement. Innova IPsec adapter’s Reed-Solomon capability introduces redundant block calculations, which, together with RDMA, achieves high performance and reliable storage access.

a. This section describes hardware features and capabilities. Please refer to the driver release notes for feature availability. See

Section 1.6, “Related Documents,” on page 17

.

Rev: 1.4

Mellanox Technologies 15

1.3

Block Diagram

Figure 1: Innova IPsec 4 Lx EN Adapter Card Block Diagram

x 8 P C I e G e n 3

D R A M

2 G B

D D R 4-

1 6 0 0[ M T / S e c]

C o n fig . F L A S H

JT A G -IF

F P G A

1.4

Operating Systems/Distributions

1

• RHEL/CentOS

• Ubuntu

• Fedora

• OpenFabrics Enterprise Distribution (OFED)

1. Windows will be supported in a future revision.

16 Mellanox Technologies x 8 P C Ie G e n 3

J T A G /

G P I O

C o n n e ct X

I 2 C

Rev: 1.4

Introduction

1.5

Connectivity

• Interoperable with 10Gb and 40Gb Ethernet switches

• Passive copper cable with ESD protection

• Powered connectors for optical and active cable support

1.6

Related Documents

Table 4 - Documents List

Document’s Name

Mellanox Firmware Tools (MFT) User

Manual

Document no. 2204UG

Mellanox OFED for Linux

User Manual

Document no. 2877

Performance Tuning Guidelines for Mellanox Network Adapters

Document no. 3368

Mellanox EN for Linux Driver Release

Notes

IEEE Std 802.3 Specification

PCI Express 3.0 Specifications

IETF IPsec specifications

Location

User Manual describing the set of MFT firmware management tools for a single node.

See http://www.mellanox.com/page/management_tools

User Manual describing OFED features, performance, tools content and configuration. See http://www.mellanox.com => Products

=> Software => InfiniBand/VPI Drivers => Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED)

User Manual describes important tuning parameters and settings that can improve performance for Mellanox drivers.

See http://www.mellanox.com/related-docs/prod_software/Performance_Tuning_Guide_for_Mellanox_Network_Adapters.pdf

Release notes for Mellanox Technologies' MLNX_EN for Linux driver kit for Mellanox adapter cards: http://www.mellanox.com => Products => Software => Infini-

Band/VPI Drivers => Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED) => Release Notes

This is the IEEE Ethernet specification http://standards.ieee.org/getieee802

Industry Standard PCI Express 3.0 Base and Card Electromechanical Specifications.

https://pcisig.com/specifications https://tools.ietf.org/html/rfc4301

Rev: 1.4

Mellanox Technologies 17

2 Interfaces

Each adapter card includes the following interfaces:

• “Ethernet QSFP Interface”

• “PCI Express Interface”

• “LED Interface”

The adapter cards include special circuits to protect from ESD shocks to the card/server when plugging copper cables.

2.1

Ethernet QSFP Interface

The network port of the Innova IPsec adapter is compliant with the IEEE 802.3 Ethernet stan-

dards listed in Table 3, “Features,” on page 14 . For connecting to an SFP+ interface, you can use

a Mellanox QSA (QSFP to SFP+) adapter module.

2.2

PCI Express Interface

The Innova IPsec adapter card supports PCI Express 3.0 (1.1 and 2.0 compatible) through an x8 edge connector. The device can be either a master initiating the PCI Express bus operations or a slave responding to PCI bus operations. The following lists PCIe interface features of the Innova

IPsec adapter card:

• PCIe Gen 3.0 compliant, 1.1 and 2.0 compatible

• 2.5, 5.0, or 8.0GT/s link rate x8

• Auto-negotiates to x8, x4, x2, or x1

• Support for MSI/MSI-X mechanisms

2.3

LED Interface

For Innova IPsec adapter card LED specifications, please refer to

Section 9.2, “Innova IPsec 4

Lx EN LEDs,” on page 41 .

18 Mellanox Technologies Rev: 1.4

Hardware Installation

3 Hardware Installation

3.1

System Requirements

3.1.1 Hardware

A system with a PCI Express x8 slot is required for installing the card.

3.1.2 Operating Systems/Distributions

Please refer to

Section 1.4, “Operating Systems/Distributions,” on page 16

.

3.2

Safety Precautions

The adapter is being installed in a system that operates with voltages that can be lethal.

Before opening the case of the system, observe the following precautions to avoid injury and prevent damage to system components.

1. Remove any metallic objects from your hands and wrists.

2. Make sure to use only insulated tools.

3. Verify that the system is powered off and is unplugged.

4. It is strongly recommended to use an ESD strap or other antistatic devices.

3.3

Pre-installation Checklist

1. Verify that your system meets the hardware and software requirements stated above.

2. Shut down your system if active.

3. After shutting down the system, turn off power and unplug the cord.

4. Remove the card from its package. Please note that the card must be placed on an antistatic surface.

5. Check the card for visible signs of damage. Do not attempt to install the card if damaged.

3.4

Bracket Installation Instructions

The card is usually shipped with a tall bracket installed. If this form factor is suitable for your

requirements, you can skip the remainder of this section and move to Section 3.5, “Card Installation Instructions,” on page 20

.

If you need to replace it with the short bracket that is included in the shipping box, please follow the instructions in this section.

Rev: 1.4

Mellanox Technologies 19

Due to risk of damaging the EMI gasket, it is not recommended to replace the bracket more than three times.

To replace the bracket you will need the following parts:

• The new bracket of the proper height

• The 2 screws saved from the removal of the bracket

• The 2 fiber washers saved from the removal of the bracket

3.4.1 Removing the Existing Bracket

1. Remove the two screws holding the bracket in place. The bracket comes loose from the card.

Be careful not to put stress on the LED.

2. Save the two screws and the two fiber washers.

3.4.2 Installing the New Bracket

1. Place the bracket onto the card until the screw holes line up.

Do not force the bracket onto the card. You may have to gently push the LEDs using a small screwdriver to align the LEDs with the holes in the bracket.

2. Screw on the bracket using the screws and washers saved from the bracket removal procedure above.

3. Make sure that the LEDs are aligned onto the bracket holes.

4. Use a torque driver to apply up to 2.9 lbs-in torque on the screws.

3.5

Card Installation Instructions

1. Open the system case.

2. Place the adapter in a standard PCI Express slot

3. Applying even pressure at both corners of the card, insert the adapter card into the slot until it is firmly seated. When the adapter is properly seated, the adapter port connectors are aligned with the slot opening, and the adapter faceplate is visible against the system chassis.

20 Mellanox Technologies Rev: 1.4

Hardware Installation

Do not use excessive force when seating the card, as this may damage the system or the adapter.

3.6

Cables and Modules

To obtain the list of supported cables for your adapter, please refer to http://www.mellanox.com/ products/interconnect/cables-configurator.php

.

3.6.1 Cable Installation

1. All cables can be inserted or removed with the unit powered on.

2. To insert a cable, press the connector into the port receptacle until the connector is firmly seated. a. Support the weight of the cable before connecting the cable to the adapter card. Do this by using a cable holder or tying the cable to the rack.

b. Determine the correct orientation of the connector to the card before inserting the connector. Do not try and insert the connector upside down. This may damage the adapter card.

c. Insert the connector into the adapter card. Be careful to insert the connector straight into the cage. Do not apply any torque, up or down, to the connector cage in the adapter card.

d. Make sure that the connector locks in place.

When installing cables make sure that the latches engage.

Always install and remove cables by pushing or pulling the cable and connector in a straight line with the card.

3. After inserting a cable into a port, the Amber LED indicator will light when the physical connection is established (that is, when the unit is powered on and a cable is plugged into the port with the other end of the connector plugged into a functioning port). See

Section 9.2, “Innova

IPsec 4 Lx EN LEDs,” on page 41

.

4. After plugging in a cable, lock the connector using the latching mechanism particular to the cable vendor. When a logical connection is made, the Green LED will light. When data is being transferred the Green LED will blink. See

Section 9.2, “Innova IPsec 4 Lx EN LEDs,” on page 41 .

Rev: 1.4

Mellanox Technologies 21

5. Care should be taken as not to impede the air exhaust flow through the ventilation holes. Use cable lengths which allow for routing horizontally around to the side of the chassis before bending upward or downward in the rack.

6. To remove a cable, disengage the locks and slowly pull the connector away from the port receptacle. LED indicator will turn off when the cable is unseated.

3.7

Identify the Card in Your System

Get the device location on the PCI bus by running lspci and locating lines with the string “Mellanox Technologies”:

> lspci |grep -i Mellanox

Network controller: Mellanox Technologies MT27710 Family [ConnectX-4 Lx]

22 Mellanox Technologies Rev: 1.4

Innova IPsec Offload Overview

4 Innova IPsec Offload Overview

The Innova IPsec 4 Lx EN adapter is pre-programmed with a Mellanox IPsec offload FPGA logic, offering encryption, decryption and authentication for IPsec security protocol suite.

The IPsec offload solution offers three major benefits:

1. Offloads compute intensive crypto algorithms from the host CPU, thus freeing up the CPU and easing network bottlenecks.

2. Since the crypto process occurs on the FPGA, which acts as a 'bump-in-the-wire', the traffic reaches the ConnectX-4 Lx plain so that the various ConnectX-4 Lx networking and stateless offloads can be applied to that traffic.

3. The existing IPsec implementation in Linux kernel requires the network stack to process the packet before and after the crypto processing of the packet. As 'bump-in-the-wire', Innova

IPsec prevents traffic from undergoing the kernel network stacks process more than once.

With these benefits, IPsec offload allows the adapter to reach full wire speed with IPsec secured traffic on the wire while reducing CPU utilization.

IPsec offload is supported in two modes - kernel mode ( Section 4.2, “IPsec Offload Kernel and

Driver,” on page 24

) and DPDK ( Section 4.3, “IPsec Offload for DPDK Applications,” on page 26

).

4.1

Security Engines and IPsec Protocols

For list of supported crypto algorithms please refer to Mellanox Innova IPsec 4 Lx EN Release

Notes. Additional crypto algorithms can be added based on business needs.

The crypto algorithms in the Innova IPsec adapter is a symmetric encryption and authentication using either the AES-GCM mechanism (described in GCM-Spec ), the encryption of AES-CBC

(described in CBC-Spec ) and/or the authentication by:

• HMAC-SHA-1

• HMAC-SHA2 (224, 256, 384, 512)

Please refer to HMAC-Spec and SHA-Spec for further details.

The crypto engines are designed to deliver full wire speed operation in a wire rate of 40G. This crypto is integrated with IPsec-ESP protocol mechanism which is elaborated in rfc4106 , or with

IPsec-AH, as described in rfc4302 .

Rev: 1.4

Mellanox Technologies 23

4.1.1 Offloaded IPsec Protocols and Internet Protocols

This section lists IPsec protocols and Internet Protocols that can be offloaded to the Innova IPsec adapter.

For list of supported protocols, please refer to Mellanox Innova IPsec 4 Lx EN Release Notes.

4.1.1.1 IPsec Protocols

• ESP modes - Tunnel mode, Transport mode

• AH modes - Tunnel mode, Transport mode

4.1.1.2 Internet Protocols

• IPv4

• IPv6

4.2

IPsec Offload Kernel and Driver

In order to install the kernel and driver, please refer to

Chapter 5,“IPsec Offload Software Installation and Operation” on page 27 .

The Innova IPsec offload solution is designed in a way that is integrated into the latest IPsec framework in the Linux kernel, IP-XFRM framework, using the IP-XFRM offload API provided by the kernel.

The IP-XFRM framework is exposed to the user through various software implementations for

IPsec connection creation and management (such as iproute2, libreswan, strongswan and others).

Upon setting up an IPsec connection, the user can choose whether to enable the Innova IPsec offload on the specific IPsec security association (SA) that is created once the connection is gener-

ated. See Section 5.3.2, “Setting up an Offloaded IPsec Connection,” on page 29 . Security

associations that are not set to be offloaded will still undergo encryption/decryption operations by the Linux kernel.

4.2.1 Innova IPsec Ethernet Driver Module

The Innova IPsec adapter has a dedicated driver in the form of a kernel module, mlx5_core.ko.

The driver performs the following:

• Configures the offload settings and modes in HW.

• Manages the offloaded security associations database in HW and ensures its validity.

• Ensures and maintains the flow of packets from kernel network stack to the Innova IPsec adapter for offloading of encryption and from the Innova IPsec adapter to kernel network stack after decryption offloading.

24 Mellanox Technologies Rev: 1.4

Figure 2

illustrates the IPsec solution layers and components.

Figure 2: IPsec Solution Layers and Components

Innova IPsec Offload Overview

4.2.2 mlx5_fpga_tools Module

mlx5_fpga_tools module is included in the new kernel installation.

The module allows opening and configuring character device to be used by the dedicated mlx_fpga tool for various purposes. Please refer to

Chapter 6,“mlx_fpga Tool” on page 33.

The module is not loaded by default and not required for IPsec offload.

To load it run: modprobe mlx5_fpga_tools

The module depends on mlx5_core module.

4.2.3 Key Generation and Exchange

The Innova IPsec adapter currently only supports offloading of the encryption, decryption and authentication of IPsec traffic. The key generation and exchange protocol, whether done manually or through IKE protocol, remains within complete ownership of the userspace software that is used for IPsec connection creation and management (such as iproute2, libreswan, strongswan and others) and is not affected by the HW or the supplied IPsec kernel module.

The Mellanox IPsec kernel module will only be invoked by the kernel offload API once the key and SPI values are determined (whether manually or by IKE) and crypto offload is enabled. The

Rev: 1.4

Mellanox Technologies 25

module will update the security association database on the FPGA/DDR so that crypto offload can occur while traffic is running.

4.3

IPsec Offload for DPDK Applications

mlx5_core module offers offload support for raw Ethernet and kernel bypass drivers by exposing a user interface to control the offloaded security associations in the FPGA.

Mellanox provides a DPDK Poll Mode Driver (PMD) which makes use of this interface. PMD provides a new API for DPDK applications to open/close offloaded security associations (control path) while transmitting/receiving traffic through them (data path). The data path is still done with kernel network stack bypass, providing the application the benefits of the both DPDK acceleration and security offload (encryption/decryption).

Please refer to Mellanox Innova IPsec 4 Lx EN Release Notes for supported versions.

26 Mellanox Technologies Rev: 1.4

IPsec Offload Software Installation and Operation

5 IPsec Offload Software Installation and Operation

5.1

Installation of Kernel with IPsec Offload Module

5.1.1 Obtaining the Kernel Modules

The kernel modules described in Section 4.2, “IPsec Offload Kernel and Driver,” on page 24

are a part of a special Linux kernel installation bundle provided by Mellanox. The bundle includes latest kernel installation files and other related components:

• FPGA image bin file

• Kernel RPM files

• MFT tarball file

• Firmware bin files

• Example IPsec offload scripts

To download the bundle, please refer to: www.mellanox.com

=> Products => Programmable

Adapter Cards => Innova IPsec => FW & SW.

5.1.2 Installing the Kernel

and Driver

Please make sure that the latest FW, FPGA image and MFT versions are installed. Please refer to the Mellanox Innova IPsec 4 Lx EN Adapter Card Release Notes for the latest versions.

Once you have obtained the kernel RPM file, the file can be installed by performing the following steps:

1. Run: rpm -i kernel-<kernel_version>.rpm / rpm -i kernel-devel-<kernel_version>.rpm

2. Verify that the initial RAM disk image has been created: a. Run ls /boot/ and look for the relevant initramfs and vmlinuz files that match the kernel version you just installed (names should match the RPM name).

3. Open the /boot/grub/grub.conf file for editing (the boot menu configuration file) and add a new menu entry for the new installed kernel. Example of menu entry to be added (replace the vmlinuz and initramfs names with the new kernel file names and modify the entry title as desired): title upstream-4.7 rc5 for FPGA root (hd0,0) kernel /vmlinuz-4.7.0-rc5+ root=/dev/sda2 console=tty0 console=ttyS0,115200n8 rhgb initrd /initramfs-4.7.0-rc5+.img

Rev: 1.4

Mellanox Technologies 27

4. If using grub2, open the /boot/grub2/grub.cfg for editing and add a new menu entry for the new installed kernel. Example of menu entry to be added (replace the vmlinuz and initramfs names with the new kernel file names and modify the entry title as desired): menuentry 'Upstream 4.12.0-rc4+' --class rhel fedora --class gnu-linux --class gnu -class os --unrestricted $menuentry_id_option 'gnulinux-4.12.0-rc4+-advanced-2d912b91d2e5-44fd-8040' {

load_video

set gfxpayload=keep

insmod gzio

insmod part_msdos

insmod xfs

set root='hd0,msdos1'

if [ x$feature_platform_search_hint = xy ]; then

search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' f663c5e3-1cbb-

4f88-b65e-f9848f1458c9

else

search --no-floppy --fs-uuid --set=root f663c5e3-1cbb-4f88-b65e-f9848f1458c9

fi

linux16 /vmlinuz-4.12.0-rc4+ root=/dev/sda2 console=tty0 control=ttyS0,115200n8 rhgb

initrd16 /initramfs-4.12.0-rc4+.img

}

5. Once the kernel installation is complete, reboot your system and select the relevant kernel to load from the grub menu.

6. Optional - It is also possible to change the default entry value to the index of the new entry

(the indexes are zero-based) so that the new kernel will be loaded by default. This is done by changing the index value next to the word “default” at the beginning of the grub.conf file. For grub2, you can use the command: grub2-set-default.

Note:

Note:

To confirm that the required kernel version is loaded, use the "uname -r" command. The output indicates the kernel version and name.

Installing the kernel modules will also install the following Mellanox device driver modules - mlx5_core and mlx5_ib.

5.1.3 Installing the Customized iproute2 Utility

The iproute2 is a user space utilities package that controls TCP/IP networking configuration in the kernel. It includes commands such as:

ip: for management of network tables and network interfaces. It is also used to configure packet transformation policies and the security associations (SAs) attached to those policies. ip utility is used to set up IPsec policies on security associations.

Mellanox provides a customized iproute2 utility set which exposes new flags in the ip xfrm utility to allow the user control of the IPsec tunnel offload state. Those flags provide the option to enable offload for IPsec SAs.

1. Obtain the customized iproute2 RPM file by contacting Mellanox support (File Name: iproute2-<version>.x86_64.rpm )

28 Mellanox Technologies Rev: 1.4

IPsec Offload Software Installation and Operation

2. Install the utility using the following command: rpm -i --force iproute2-<version>.x86_64.rpm

Once the installation is complete, you will have the modified iproute2 utility that supports the

IPsec offload flags installed in your system.

Note:

There are several additional user space applications that provide an interface to configure

IPsec policies and SAs (Strongswan, Libreswan and more). Please refer to the release notes of the above mentioned user space applications for IPsec offload support.

5.2

Installation via MLNX_OFED

Please note that currently none of the MLNX_OFED packages available on http://www.mellanox.com

provide support for Innova IPsec 4 Lx EN adapter card. For IPsec offload software installation, please refer to

Section 5.1, “Installation of Kernel with IPsec Offload Module,” on page 27

.

5.3

Operating the IPsec Offload

5.3.1 Loading/Unloading the Module

5.3.1.1 Automatic Load

The Innova IPsec Ethernet driver, mlx5_core, is loaded automatically by the kernel when an

Innova IPsec card is installed.

5.3.1.2 Manual Load/Unload

1. Load/unload mlx5_core using one of the following commands: insmod mlx5_core modprobe mlx5_core rmmod mlx5_core(unload command)

Note:

Unloading the IPsec offload module while there are active IPsec offloaded connections is not supported and the result is undefined. For proper and stable operation of the HW and

SW, the offloaded IPsec connection must be terminated via the proper utility before module unload. It is recommended to flush the existing IPsec XFRM states before restarting the mlx5_core module in case there are offloaded security associations. It can be done by running the following command: ip xfrm state flush; ip xfrm pol flush.

5.3.2 Setting up an Offloaded IPsec Connection

IPsec secured connection can be opened through the iproute2 utility. For offload support, please use the iproute2 version that is modified and supplied by Mellanox (see

Section 5.1.3, “Installing the Customized iproute2 Utility,” on page 28 ).

In order to configure an IPsec secured connection between hosts, it is necessary to:

Rev: 1.4

Mellanox Technologies 29

1. Configure the security association (SA) intended for use, with its relevant parameters (such as: crypto algorithm, key length, ESP mode, the SA ID, traffic direction of th SA and more).

2. Configure the xfrm policy which defines the type of traffic that will undergo encryption or decryption. It also sets the tunnel IP addresses which encapsulate the packet when working in

ESP tunnel mode.

The following example shows how to configure a host (one side of an IPsec connection) with an offloaded IPsec tunnel using the iproute2 utility. In this example, the tunnel is set in IPv4 mode with AES-GCM128 crypto algorithm. The keys are added manually.

1. Set the egress traffic security parameters: ip xfrm state add src

1

192.168.7.2 dst

2

192.168.7.9 proto esp spi

3

0x4c250336 reqid

4

0x4c250336 mode tunnel aead 'rfc4106(gcm(aes))'

0x44e6625f4d2fb01b03cc9baefe9b5c8de9d7b9c1

5

128 offload dev ens8

6

dir out

7

2. Set the ingress traffic security parameters: ip xfrm state add src

8

192.168.7.9 dst

9

192.168.7.2 proto esp spi

10

0x0f2e596c reqid 0x0f2e596c mode tunnel aead 'rfc4106(gcm(aes))'

0x44e6625f4d2fb01b03cc9baefe9b5c8de9d7b9c1

11

128 offload dev ens8 dir in

12

Note: offload dev ens8 dir out and offload dev ens8 dir in are the new flags which instruct the iproute2 utility to enable HW offload for the specified security policy.

3. Apply the new egress traffic security policy: ip xfrm policy add src 192.168.7.2 dst

13

192.168.7.9 dir out tmpl

14

src 192.168.7.2 dst

15

192.168.7.9 proto esp reqid 0x4c250336

mode tunnel

4. Apply the new ingress traffic security policy: ip xfrm policy add src 192.168.7.9 dst

192.168.7.2 dir in tmpl src 192.168.7.9 dst 192.168.7.2 proto esp reqid 0x0f2e596c mode tun-

nel

Note:

The above example shows how to configure a host on one side of the IPsec secured connection. The peer host must undergo the same flow listed above only with the traffic directions inverted. That is, the settings of the egress traffic in this example are the settings of the ingress traffic for the peer host.

1. The IP addresses of the src host of the egress traffic. Modify it with your own relevant addresses.

2. The IP addresses of the destination host of the egress traffic. Modify it with your own relevant addresses.

3. SPI value for egress traffic - add your own desired value.

4. SA request id - this ID is used as a reference to the new SA (for modification, destruction, attaching to a policy). Any number can be chosen here.

5. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the encryption of the egress traffic.

6. The relevant network interface name - replace with your own.

7. out/in - traffic direction of this IPsec tunnel setting.

8. The IP addresses of the src host of the ingress traffic. Modify it with your own relevant addresses.

9. The IP addresses of the destination host of the ingress traffic. Modify it with your own relevant addresses.

10. SPI value for ingress traffic - add your own desired value.

11. The 128 bit key concatenated with the constant initialization vector (IV) that are used for the decryption of the ingress traffic. This traffic key does not have to be similar to the egress traffic key.

12. out/in - traffic direction of this IPsec tunnel setting.

13. The IP addresses of the inner (original) packet to undergo transformation and tunnel encapsulation.

14. Indicates that we are about to define the template of the outer IP header of our tunnel.

15. The tunnel source and destination IP addresses - can be different than the inner packet IP address.

30 Mellanox Technologies Rev: 1.4

IPsec Offload Software Installation and Operation

Once configured, the existing xfrm states (SAs) and policies can be seen using the following commands:

1. ip xfrm state - to view all the xfrm states in the kernel.

2. ip xfrm pol - to view all the xfrm policies in the kernel.

When viewing the xfrm states in the system, the flag dir in/dir out (depending on the traffic direction of the state), under the “crypto offload parameters” section, will indicate that this state is offloaded by an offload device. If these flags are not present, it indicates that encryption/decryption is not offloaded for this xfrm state and remains within the Kernel scope.

5.3.3 Destroying IPsec Tunnels

The process of destroying an offloaded IPsec tunnel remains unchanged and is similar to the destruction of a non-offloaded tunnel using the iproute2 “ip” utility.

It is required to close both the xfrm policies and the xfrm states to completely terminate a session.

A complete flush of all the policies and states can be done with the following commands:

1. ip xfrm state flush

2. ip xfrm pol flush

To delete a specific xfrm policy use the “ip xfrm policy delete <policy parameters>” command.

To delete a specific xfrm state use the “ip xfrm state delete <state parameters>” command.

When flushing all xfrm states, the flow cache is flushed automatically, so this additional operation is not required.

5.3.4 IPsec Offload Statistics

The FPGA contains several counters which provide information and statistics on the offload operation.

These counters are a part of the network interface counters and can be viewed using the ethtool

-S <interface_name> command.

Note:

The mlx5_core module must be loaded for the counters to appear in ethtool.

Table 5 - ethtool IPsec Offload Counters

Name Description

ipsec_dec_in_packets Total packets received for decryption by FPGA.

ipsec_dec_out_packets Number of packets that were received for decryption, decrypted and successfully authenticated by FPGA.

ipsec_dec_bypass_packets

Number of packets that were bypassed by FPGA in decryption direction.

Rev: 1.4

Mellanox Technologies 31

Table 5 - ethtool IPsec Offload Counters

Name Description

ipsec_enc_out_packets Number of packets that were received for encryption, encrypted and successfully authenticated by FPGA.

ipsec_enc_bypass_packets

Number of packets that were bypassed by FPGA in encryption direction.

ipsec_dec_drop_packets Number of packets dropped by decryption engine. This can be as a result of having inband metadata in packet or corrupted decryption. ipsec_dec_auth_fail_packets

Number of packets dropped by decryption engine due to authentication issue.

ipsec_enc_drop_packets Number of packets dropped by encryption engine. This can be as a result of more VLAN tags than the number supported by FPGA, having inband metadata or miss in

SADB. ipsec_add_sa_success Total amount of SAs successfully added by FPGA.

ipsec_add_sa_fail Total amount of failed SA add commands by FPGA. This can be a result of adding an already valid SA. ipsec_del_sa_success ipsec_del_sa_fail ipsec_cmd_drop

Total amount of SAs successfully removed by FPGA.

Total amount of failed SA remove commands by FPGA.

This can be a result of remove command on invalid SA.

Total amount of failed commands. This can be a result of failure to parse command.

32 Mellanox Technologies Rev: 1.4

mlx_fpga Tool

6 mlx_fpga Tool

mlx_fpga tool allows the user to burn and update a new FPGA image on Innova IPsec adapter card. The tool also enables the user to read/write individual registers in the FPGA configuration space.

6.1

Tool Requirements

• Innova IPsec 4 Lx EN adapter card with an FPGA device

• Download MFT via: www.mellanox.com

=> Products => Programmable Adapter Cards

=> Innova IPsec => FW & SW. For supported MFT version, please refer to Mellanox

Innova IPsec 4 Lx EN Release Notes.

• Extract the TGZ and run - install.sh

• Load mlx5_fpga_tools module. See Section 4.2.2, “mlx5_fpga_tools Module,” on page 25

.

• Start mst service with the fpga lookup flag (mst start --with_fpga)

6.2

mlx_fpga Synopsis

# mlx_fpga [-d <device> ] < read <addr> | write <addr> <value> | b <image path> | clear_semaphore

| reset | load | query where:

-d|--device <device>

-v|--version

-h|--help r |read <addr> w |write <addr> <data> b |burn <bin> l |load clear_semaphore reset q |query

FPGA mst device interface

Display version info

Display help message

Read debug register in address

Write data to debug register in address

Burn image on flash

Load image from flash (--factory - load image from factory flash)

Unlock flash controller semaphore

Reset FPGA (--fpga)

Query general FPGA information

Rev: 1.4

Mellanox Technologies 33

6.3

Examples of mlx_fpga Usage

6.3.1 Adding FPGA mst Device Interface

apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status

MST modules:

------------

MST PCI module is not loaded

MST PCI configuration module is not loaded

MST devices:

------------

No MST devices were found nor MST modules were loaded.

You may need to run 'mst start' to load MST modules.

FPGA devices:

-------------------

/dev/mst/mt4117_pciconf0_fpga_i2c

/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the “fast path” to the FPGA. I2C is used for recovery purposes when RDMA is not functional.

6.3.1.1 Burning the FPGA’s Flash Device Using the mlx_fpga Burning Tool

mlx_fpga tool burns a .bin file onto the FPGA flash device.

It is recommended to burn the FPGA device using an RDMA device as it uses the “fast path” to the FPGA thus minimizing the burning time.

Step 1.

Burn the image.

# mlx_fpga -d <device> burn image.bin

Step 2.

Load the FPGA image from flash according to Section 6.3.1.2, “Loading Tool,” on page 34

or power cycle the machine for change to take effect.

6.3.1.2 Loading Tool

• Load an FPGA image from user configurable flash:

# mlx_fpga -d <device> l/load <optional: load options> where

<optional: load options>

is:

--factory

--user

Load FPGA image from factory flash

Load FPGA image from user flash [default option]

34 Mellanox Technologies Rev: 1.4

mlx_fpga Tool

6.3.1.3 Debugging Tool

• Reading One Debug Register:

# mlx_fpga -d <device> read 0x0

• Writing One Debug Register:

# mlx_fpga -d <device> write 0x0 0x0

6.3.1.4 Update FPGA Image

In order to verify the new image burned to the FPGA, the user can use mlx_fpga tool to read the following registers:

Name

image_version image_date image_time

Address

0x900000

0x900004

0x900008

Range

31:00:00

31:00:00

31:00:00

Default

0x0

0x0

0x0

RW

RO

RO

RO

Description

Version of the image

Image date of creation. The hex number is actually the decimal value, i.e. 0x12011995 means 12/01/1995 in DD/MM/

YY: bits [31:24] = day of creation bits [23:16] = month of creation bits [15:0] = year of creation

Image time of creation. The hex number is actually the decimal value, i.e. 0x00015324 means 01:53:24 in

HH:MM:SS: bits [23:16] = hour (00..23) bits [15:8] = minutes (00..59) bits [7:0] = seconds (00..59)

Rev: 1.4

Mellanox Technologies 35

7 Updating Innova IPsec Adapter Card Firmware

This section applies only when updating the ConnectX-4 Lx firmware. In order to burn and update the FPGA image, please refer to

Chapter 6,“mlx_fpga Tool” on page 33.

Each card is shipped with the latest version of qualified ConnectX-4 Lx firmware at the time of manufacturing. However, Mellanox issues firmware updates occasionally. Please contact Mellanox for the correct Firmware version.

Firmware can be updated on the stand-alone single card using the flint tool of the Mellanox

Firmware Tools (MFT) package. Please contact Mellanox for the correct MFT package.

The following steps describe how to retrieve the PSID (firmware identification) and programmed firmware version of your adapter card. They also describe how to update the card with the latest firmware version available.

1. Retrieve the PSID and firmware version: a. Install the MFT package. b. Enter: mst start.

c. Get the Mellanox mst device name using the command "mst status". The mst device name will be of the form: /dev/mst/mt4117_pciconf0.

d. Get the PSID (firmware identification) and programmed firmware version using the command ' flint -d <mst device> q', where <mst device> is the device retrieved in step c.

The shown versions and/or parameter values in the example below may not reflect the latest or actual values for this product, and are included here for illustration purposes only.

> flint -d /dev/mst/mt4117_pci_cr0 q

Image type: ConnectX-4 Lx

FW Version: 14.12.1000

Device ID: 4117

Chip Revision: 0

Description: Node Port1 Port2

Sys image

GUIDs: 000002c900000200 000002c900000201 000002c900000202

000002c900000203

MACs:

000002c90200 000002c90201

Board ID: (MT_2410110034MT_2490110032)

VSD:

PSID: MT_2410110034MT_2490110032

2. To burn the new FW image to ConnectX-4 Lx flash: a. Install mst package and start mst as in section 1 above

36 Mellanox Technologies Rev: 1.4

b. To burn the firmware, run: mlxburn -d /dev/mst/mt4117_pciconf0 -i <fw.bin> c. To load the firmware, run: mlxfwreset -d /dev/mst/mt4117_pciconf0 reset -y

Updating Innova IPsec Adapter Card Firmware

Rev: 1.4

Mellanox Technologies 37

8 Troubleshooting

8.1

General

Server unable to find the adapter

The adapter no longer works

Adapters stopped working after installing another adapter

Link indicator light is off

Link light is on, but with no communication established

FPGA not found on mst status

• Ensure that the adapter is placed correctly

• Make sure the adapter slot and the adapter are compatible

• Install the adapter in a different PCI Express slot

• Use the drivers that came with the adapter or download the latest

• Make sure your motherboard has the latest BIOS

• Try to reboot the server

• Reseat the adapter in its slot or a different slot, if necessary

• Try using another cable

• Reinstall the drivers for the network driver files may be damaged or deleted

• Reboot the server

• Try removing and re-installing all adapters

• Check that cables are connected properly

• Make sure your motherboard has the latest BIOS

• Ensure that adapter driver/s is loaded

• Try another port on the switch

• Make sure the cable is securely attached

• Check you are using the proper cables that do not exceed the recommended lengths

• Verify that your switch and adapter port are compatible

• Check that the latest driver is loaded

• Check that both the adapter and its link are set to the same speed and duplex settings

• Verify the Innova IPsec kernel is loaded

• Load mlx5_fpga_tools module

• Start mlx_fpga tool uname -r modprobe mlx5_fpga_tools mst start --with_fpga mst status

38 Mellanox Technologies Rev: 1.4

8.2

Linux

Environment

Information

Card Detection

cat/etc/issue uname –a cat/proc/cupinfo | grep ‘model name’ | uniq ofed_info | head -1 ifconfig –a ethtool <interface> ethtool –i <interface_of_Mellanox_port_num> ibdev2netdev lspci | grep –i Mellanox

Download and install MFT: http://www.mellanox.com/content/pages.php?pg=management_tools&menu_section=34

Refer to the User Manual for installation instructions.

Mellanox Firmware Tool

(MFT)

Ports Information

Firmware Version

Upgrade

Collect Log File

Once installed, run: mst start mst status flint –d <mst_device> q ibstat lbv_devinfo

To download the latest firmware version refer to http://www.mellanox.com/supportdownloader

/var/log/messages dmesg > system.logF

Troubleshooting

Rev: 1.4

Mellanox Technologies 39

9 Specifications

9.1

MNV101511A-BCIT Specifications

Table 6 - MNV101511A-BCIT Specifications Table

Physical

Size: 2.7 in. x 6.6 in. (68.9 mm x167.65 mm)

Connector: Single QSFP (Copper and optical)

Protocol Support

Ethernet: 40GBASE-CR4, 40GBASE-KR4, 40GBASE-SR4, 40GBASE-ER4,

40GBASE-R2, 10GBASE-SR, 10GBASE-LR,10GBASE-ER, 10GBASE-CR,

10GBASE-KR

Data Rate: 10/40Gb/s – Ethernet

PCI Express Gen3: SERDES @ 8.0GT/s, 8 lanes (2.0 and 1.1 compatible)

Voltage: 3.3Vaux, 12V

Typ Power: Passive Cables: 18W

Power and

Environmental

Max Power: Passive Cables: less than 20.2W

1.5W Active Cables: 22W

Max power available through QSFP port: 1.5W

Temperature: Operational 0°C to 55°C a

Non-operational -40°C to 70°C

Humidity: 90% relative humidity b

Regulatory

Cable Support

Air Flow

cd

: 450LFM at 45°C

750 LFM at 55°C

Safety: IEC/EN 60950-1:2006

ETSI EN 300 019-2-2

IEC 60068-2- 64, 29, 32

RoHS: RoHS-R6

Please refer to http://www.mellanox.com/products/interconnect/cables-configurator.php

a. Ambient temperature may vary. Please contact Mellanox technical support if further assistance is needed.

b. For both operational and non-operational states.

c. Air flow is measured ~1” from the heat sink between the heat sink and the cooling air inlet.

d. Airflow requirements may vary according to ambient temperature and other parameters. Please contact

Mellanox technical support if further assistance is needed.

40 Mellanox Technologies Rev: 1.4

9.2

Innova IPsec 4 Lx EN LEDs

Figure 3: MNV101511A-BCIT LEDs Placement

1

(Example)

Specifications

Group A LEDs: Network LEDs - these LEDs indicate the network link status. See Section 9.2.1,

“Network LEDs Operation,” on page 42

for details.

Group B LEDs: Debug LEDs - indicate memory calibration done, memory BIST done, Con-

nectX-4 Lx link up is with traffic, Heartbeat and power good. See Section 9.2.2, “FPGA Debug

LEDs,” on page 43 for details.

Group C LEDs: FPGA load-flow Debug LEDs - see

Section 9.2.3, “FPGA Load-Flow Debug

LEDs,” on page 43

1. The adapter card is shipped with the heat sink assembled.

Rev: 1.4

Mellanox Technologies 41

9.2.1 Network LEDs Operation

Table 7 - Physical and Logical Link Indications

LED Function

Amber - physical link • Constant on indicates a good physical link

• Blinking indicates a problem with the physical link

• If neither LED is lit, then the physical link has not been established

Green - logical (data activity) link

• Constant on indicates a valid logical (data activity) link without data transfer.

• Blinking indicates a valid logical link with data transfer

• If only the green LED is lit and the Amber LED is off, then the logical link has not been established

LED Symbol

D1

42 Mellanox Technologies Rev: 1.4

9.2.2 FPGA Debug LEDs

Note:

D2-D9 are the “symbols” of these LEDs as printed on the board.

Table 8 - FPGA Debug LEDs

LED Symbols

D2

D3

D4

D5

D6

D7

D8

D9

LED Function

Power Good - Or on all POWER-GOOD inputs. Expected

LED ON.

Clock - the LED starts blinking once out of reset and the clock is running. Expected blinking LED 1Hz.

DDR Calibration DONE - the LED will be ON after powerup, if DDR calibration is successful.

DDR BIST Passed - DDR Built In Test runs once after power-up. LED will turn on if test passes successfully.

ConnectX Port Ready - the LED will be ON when FPGA-

ConnectX link is up.

ConnectX Port Traffic - the LED will blink when there is

FPGA-ConnectX traffic (TX/SX).

Network Port Ready - the LED will be ON when FPGA-

Network link is up.

Network Port Traffic - the LED will blink when there is

FPGA-Network traffic (TX/SX).

9.2.3 FPGA Load-Flow Debug LEDs

Table 9 - FPGA Load-Flow Debug LEDs

LED

Green - power good

Off - power issue

Red - during configuration

Green - when complete

Red - factory default

Green - user image

LED Symbol and Function

D10 - Power Good

D11- Configuration Done Indication

D12 - Configuration Image Selection

Specifications

Rev: 1.4

Mellanox Technologies 43

9.3

Board Mechanical Drawing and Dimensions

All dimensions are in millimeters.

All the mechanical tolerances are +/- 0.1mm.

Figure 4: Mechanical Drawing of the MNV101511A-BCIT Innova IPsec Adapter Card

167.65

68.9

44 Mellanox Technologies Rev: 1.4

9.4

Bracket Mechanical Drawing

Figure 5: Single-Port Tall Bracket

21.6

Specifications

120.02

Rev: 1.4

Mellanox Technologies 45

Figure 6: Single-Port Short Bracket

22.83

80.3

46 Mellanox Technologies Rev: 1.4

Appendix A: Fast Installation and Update

A.1

Hardware Installation

1. Shut down your system if active.

2. After shutting down the system, turn off power and unplug the cord.

3. Place the adapter in a standard PCI Express slot.

For further details, please refer to

Chapter 3,“Hardware Installation” on page 19.

A.2

Content of Innova IPsec Bundle

Mellanox provides an IPsec bundle which includes the following:

• FPGA image bin file

• Kernel RPM files

• MFT tarball file

• Firmware bin files

• Offload scripts (xfrm, iproute)

A.3

Software, Firmware and Tools Installation

The following instructions apply to installation only. If the bundle is already installed, please refer to

Appendix A.4, “Software, Firmware and Tools Update,” on page 48

.

Please make sure to install in the following order:

Step 1.

Step 1.

Step 2.

Download the bundle from www.mellanox.com

=> Products => Programmable Adapter

Cards => Innova IPsec => FW & SW. Each card is shipped with the latest version of the qualified FPGA image and firmware at the time of manufacturing. Please download the

Innova IPsec bundle that matches the FPGA image burned on your card.

To install the kernel:

Step 1.

Locate the RPM files in the Kernel folder:

• rpm -i kernel-<kernel_version>.rpm

• rpm -i kernel-devel-<kernel_version>.rpm

Step 2.

Reboot your system and select the relevant kernel to load from the grub menu.

To install MFT:

Untar the MFT tar file.

Install MFT by running: install.sh

Step 3.

Start MFT:

Step a.

modprobe mlx5_fpga_tools

Step b.

mst start --with_fpga

Rev: 1.4

Mellanox Technologies 47

Step c.

mst status apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status

MST modules:

------------

MST PCI module is not loaded

MST PCI configuration module is not loaded

MST devices:

------------

No MST devices were found nor MST modules were loaded.

You may need to run 'mst start' to load MST modules.

FPGA devices:

-------------------

/dev/mst/mt4117_pciconf0_fpga_i2c

/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the fast path to the FPGA. I2C is used for recovery purposes when RDMA is not functional.

In case the FPGA image does not match the new bundle, the user must first downgrade the kernel, MFT and FW to the ones matching the FPGA image, update the image and only then upgrade the other components, as described in

Appendix A.4, “Software, Firmware and Tools

Update,” on page 48

.

A.4

Software, Firmware and Tools Update

In order to update FPGA image, all other components (kernel/MFT/FW) MUST match the same release. Please follow the exact order of the following steps where FPGA image update is first,

FW is second, kernel is third and MFT is last.

Step 1.

To download the bundle, please refer to www.mellanox.com

=> Products => Programmable

Adapter Cards => Innova IPsec => FW & SW

To update the FPGA image:

Step 1.

Locate the FPGA image bin file in the Images folder.

48 Mellanox Technologies Rev: 1.4

Step 2.

Find the device installed.

Rev: 1.4

Step 3.

Step 3.

Burn the FPGA image: mlx_fpga -d /dev/mst/mt4117_pciconf0_fpga_rdma burn <fpga_image.bin>

For further details, please refer to

Chapter 6,“mlx_fpga Tool” on page 33

.

To burn the latest Firmware:

Step 1.

Step 2.

Locate the firmware bin file in FW folder:

Burn the firmware: mlxburn -d /dev/mst/mt4117_pciconf0 -i <fw.bin>

To load the firmware:

Step 1.

mlxfwreset -d /dev/mst/mt4117_pciconf0 reset -y

For further details, please refer to

Chapter 7,“Updating Innova IPsec Adapter Card Firmware” on page 36

.

To install the most updated kernel:

Locate the RPM files in the Kernel folder:

• rpm -i kernel-<kernel_version>.rpm

• rpm -i kernel-devel-<kernel_version>.rpm

Reboot your system and select the relevant kernel to load from the grub menu.

Step 2.

For further details, please refer to

Chapter 5,“IPsec Offload Software Installation and Operation” on page 27.

Mellanox Technologies 49

To update MFT:

Step 1.

Untar the MFT tar file.

Step 2.

Install MFT by running: install.sh

Step 3.

Start MFT:

Step a.

modprobe mlx5_fpga_tools

Step b.

mst start --with_fpga

Step c.

mst status apps-13:~ # modprobe mlx5_fpga_tools apps-13:~ # mst start --with_fpga apps-13:~ # mst status

MST modules:

------------

MST PCI module is not loaded

MST PCI configuration module is not loaded

MST devices:

------------

No MST devices were found nor MST modules were loaded.

You may need to run 'mst start' to load MST modules.

FPGA devices:

-------------------

/dev/mst/mt4117_pciconf0_fpga_i2c

/dev/mst/mt4117_pciconf1_fpga_rdma a a. It is recommended to use the RDMA device as it uses the fast path to the FPGA. I2C is used for recovery purposes when RDMA is not functional.

50 Mellanox Technologies Rev: 1.4

Appendix B: Interface Connectors Pinout

B.1

QSFP Connector Pinout

Figure 7: Connector and Cage Views

Rev: 1.4

Table 10 - Connector Pin Number and Name to Signal Name Map

Connector Pin Number Connector Pin Name

1

2

3

4

5

6

7

8

9

10

GND

TXN_2

TXP_2

GND

TXN_4

TXP_4

GND

ModSelL_Port0

ResetL_Port0

Port A Signal Name

GND

Tx2n

Tx2p

GND

Tx4n

Tx4p

GND

ModSelL

ResetL

VccRx

Mellanox Technologies 51

Table 10 - Connector Pin Number and Name to Signal Name Map

31

32

33

34

27

28

29

30

35

36

37

38

23

24

25

26

19

20

21

22

15

16

17

18

11

12

13

14

Connector Pin Number Connector Pin Name

SCL

SDA

GND

RXP_3

RXN_3

GND

RXP_1

RXN_1

GND

GND

RXN_2

RXP_2

GND

RXN_4

RXP_4

GND

ModPrsl_Port0

IntL

LPMode_Port0

GND

TXP_3

TXN_3

GND

TXP_1

TXN_1

GND

Port A Signal Name

Mod PrsL

IntL

VccTx

Vcc1

LPMode

GND

Tx3p

Tx3n

GND

Tx1p

Tx1n

GND

GND

GND

Rx2n

Rx2p

GND

Rx4n

Rx4p

GND

SCL

SDA

GND

Rx3p

Rx3n

GND

Rx1p

Rx1n

52 Mellanox Technologies Rev: 1.4

B.2

PCI Express x8 Connector Pinout

The adapter cards use a standard PCI Express x8 edge connector and the PCI Express x8 standard pinout according to the PCI Express 3.0 specification.

Figure 8: PCIe x8 Connector Pinout

Rev: 1.4

Mellanox Technologies 53

B.3

I

2

C-compatible Connector Pinout

Figure 9: Compatible Connector Plug and Pinout

Connector Pin

Number

1

2

3

Signal Name

GND

SCL

SDA

54 Mellanox Technologies Rev: 1.4

Appendix C: Finding the MAC and Serial Number on the

Adapter Card

Each Mellanox adapter card has a different identifier printed on the label: serial number, and the card MAC for the Ethernet protocol.

The revision indicated on the labels in the following figures do not necessarily represent the latest revision of the card.

Figure 10: MNV101511A-BCIT Board Label

Rev: 1.4

Mellanox Technologies 55

Appendix D: Safety Warnings

1. Installation Instructions

Read all installation instructions before connecting the equipment to the power source.

2. Over-temperature

This equipment should not be operated in an area with an ambient temperature exceeding the maximum recommended: 55°C (131°F).

To guarantee proper air flow, allow at least 8cm (3 inches) of clearance around the ventilation openings.

3. During Lightning - Electrical Hazard

During periods of lightning activity, do not work on the equipment or connect or disconnect cables.

4. Copper Cable Connecting/Disconnecting

Some copper cables are heavy and not flexible, as such they should be carefully attached to or detached from the connectors. Refer to the cable manufacturer for special warnings and instructions.

5. Equipment Installation

This equipment should be installed, replaced, or serviced only by trained and qualified personnel.

6. Equipment Disposal

Disposal of this equipment should be in accordance to all national laws and regulations.

7. Local and National Electrical Codes

This equipment should be installed in compliance with local and national electrical codes.

56 Mellanox Technologies Rev 2.4

8. Hazardous Radiation Exposure

Caution – Use of controls or adjustment or performance of procedures other than those specified herein may result in hazardous radiation exposure.

CLASS 1 LASER PRODUCT and reference to the most recent laser standards:

IEC 60 825-1:1993 + A1:1997 + A2:2001 and EN 60825-1:1994+A1:1996+

A2:20.

Rev 2.4

Mellanox Technologies 57

Appendix E: Avertissements de sécurité d’installation (Warnings in French)

1. Instructions d’installation

Lisez toutes les instructions d’installation avant de brancher le matériel à la source d’alimentation électrique.

2. Température excessive

Ce matériel ne doit pas fonctionner dans une zone avec une température ambiante dépassant le maximum recommandé de 55°C (131°F). Un flux d’air de 200LFM à cette température ambiante maximale est nécessaire. En outre, pour garantir un bon

écoulement de l’air, laissez au moins 8 cm (3 pouces) d’espace libre autour des ouvertures de ventilation.

3. Orages – dangers électriques

Pendant un orage, il ne faut pas utiliser le matériel et il ne faut pas brancher ou débrancher les câbles.

4. Branchement/débranchement des câbles en cuivre

Les câbles en cuivre sont lourds et ne sont pas flexibles, il faut donc faire très attention en les branchant et en les débranchant des connecteurs. Consultez le fabricant des câbles pour connaître les mises en garde et les instructions spéciales.

5. Installation du matériel

Ce matériel ne doit être installé, remplacé ou entretenu que par du personnel formé et qualifié.

6. Elimination du matériel

L’élimination de ce matériel doit s’effectuer dans le respect de toutes les législations et réglementations nationales en vigueur.

7. Codes électriques locaux et nationaux

Ce matériel doit être installé dans le respect des codes électriques locaux et nationaux.

58 Mellanox Technologies Rev 2.4

8. Exposition au rayonnement grave

Mise en garde – l'utilisation de commandes ou de réglages ou l'exécution de procédures autres que ce qui est spécifié dans les présentes peut engendrer une exposition au rayonnement grave.

PRODUIT LASER DE CLASSE 1 » et références aux normes laser les plus récentes CEI 60 825-1

Rev 2.4

Mellanox Technologies 59

Appendix F: Sicherheitshinweise (Warnings in German)

1. Installationsanleitungen

Lesen Sie alle Installationsanleitungen, bevor Sie das Gerät an die Stromversorgung anschließen.

2. Übertemperatur

Dieses Gerät sollte nicht in einem Bereich mit einer Umgebungstemperatur über der maximal empfohlenen Temperatur von 55°C (131°F) betrieben werden. Es ist ein Luftstrom von 200 LFM bei maximaler Umgebungstemperatur erforderlich. Außerdem sollten mindestens 8 cm (3 in.) Freiraum um die Belüftungsöffnungen sein, um einen einwandfreien Luftstrom zu gewährleisten.

3. Bei Gewitter - Elektrische Gefahr

Arbeiten Sie während eines Gewitters und Blitzschlag nicht am Gerät, schließen Sie keine Kabel an oder ab.

4. Anschließen/Trennen von -Kupferkabel

Kupferkabel sind schwer und nicht flexible. Deshalb müssen sie vorsichtig an die

Anschlüsse angebracht bzw. davon getrennt werden. Lesen Sie die speziellen Warnungen und Anleitungen des Kabelherstellers.

5. Geräteinstallation

Diese Gerät sollte nur von geschultem und qualifiziertem Personal installiert, ausgetauscht oder gewartet werden.

6. Geräteentsorgung

Die Entsorgung dieses Geräts sollte unter Beachtung aller nationalen Gesetze Bestimmungen erfolgen.

7. Regionale und nationale elektrische Bestimmungen t

Dieses Gerät sollte unter Beachtung der regionalen und nationalen elektrischen Bestimmungen installiert werden.

60 Mellanox Technologies Rev 2.4

8. Strahlenkontak

Achtung – Nutzung von Steuerungen oder Einstellungen oder Ausführung von

Prozeduren, die hier nicht spezifiziert sind, kann zu gefährlichem Strahlenkontakt führen.

Klasse 1 Laserprodukt und Referenzen zu den aktuellsten Lasterstandards :

ICE 60 825-1

Rev 2.4

Mellanox Technologies 61

Appendix G: Advertencias de seguridad para la instalación

(Warnings in Spanish)

1. Instrucciones de instalación

Antes de conectar el equipo a la fuente de alimentación, leer todas las instrucciones de instalación.

2. Sobrecalentamiento

No se debe utilizar el equipo en un área con una temperatura ambiente superior a la máxima recomendada: 55°C(131°F). Además, para garantizar una circulación de aire adecuada, se debe dejar como mínimo un espacio de 8 cm (3 pulgadas) alrededor de las aberturas de ventilación.

3. Cuando hay rayos: peligro de descarga eléctrica

No utilizar el equipo ni conectar o desconectar cables durante períodos de actividad de rayos.

4. Conexión y desconexión del cable Copper

Dado que los cables de cobre son pesados y no son flexibles, su conexión a los conectores y su desconexión se deben efectuar con mucho cuidado. Para ver advertencias o instrucciones especiales, consultar al fabricante del cable.

5. Instalación de equipos

La instalación, el reemplazo y el mantenimiento de este equipo estarán a cargo únicamente de personal capacitado y competente.

6. Eliminación de equipos

La eliminación definitiva de este equipo se debe efectuar conforme a todas las leyes y reglamentaciones nacionales.

7. Códigos eléctricos locales y nacionales

Este equipo se debe instalar conforme a los códigos eléctricos locales y nacionales.

62 Mellanox Technologies Rev 2.4

8. Exposición a niveles de radiación peligrosos

Precaución: el uso de controles o ajustes o la realización de procedimientos distintos de los que aquí se especifican podrían causar exposición a niveles de radiación peligrosos.

PRODUCTO LÁSER DE CLASE 1 y referencia a las normas de láser más recientes:

IEC 60825-1

Rev 2.4

Mellanox Technologies 63

advertisement

Key Features

  • 10/40 Gigabit Ethernet
  • IPsec Offload
  • Overlay Networks
  • RDMA and RDMA over Converged Ethernet (RoCE)
  • Mellanox PeerDirect™
  • CPU offload
  • Hardware-based I/O
  • Virtualization
  • Storage Acceleration
  • Distributed RAID

Frequently Answers and Questions

What are the system requirements for Innova IPsec 4 Lx?
A system with a PCI Express x8 slot is required for installing the card.
What operating systems/distributions are supported by the Innova IPsec 4 Lx?
The card is supported by RHEL/CentOS, Ubuntu, Fedora, and OpenFabrics Enterprise Distribution (OFED).
What is the purpose of the Innova IPsec 4 Lx's on-board FPGA?
The FPGA is used to offload the processing of IPsec algorithms, freeing up the CPU and easing network bottlenecks.
What are the benefits of using the Innova IPsec 4 Lx for IPsec offload?
The benefits include offloading compute intensive crypto algorithms from the host CPU, enabling the adapter to reach full wire speed with IPsec secured traffic on the wire while reducing CPU utilization, and preventing traffic from undergoing the kernel network stacks process more than once.
What IPsec protocols and internet protocols are supported by the Innova IPsec 4 Lx?
The Innova IPsec 4 Lx supports: ESP modes (Tunnel and Transport), AH modes (Tunnel and Transport), IPv4 and IPv6.

Related manuals

Download PDF

advertisement

Table of contents