BAY® Inline IPsec

Demo Installation Guide (MAP80

FPGA board)

This controlled document is the proprietary of Arrive

Technologies Inc. Any duplication, reproduction, or
transmission to unauthorized parties is prohibited.
Copyright ©2012–2019 Arrive Technologies.
Contents
History 3
Overview 4
Server setup guide 5
Load FPGA 5
Post install 5
Install Oracle Java 5
Cores isolation 6
Cards license 6
Run the demo 7
Demo model 7
Connecting to the server 7
Run VPP 7
Run with hardware Inline IPsec 7
Run with so ware AESNI IPsec 8
Running TRex 8
TRex server 8
TRex GUI 8
Setup profile 9
Start traffic 11
Developing 16
Build VPP/DPDK 16
Build TRex 16
History
Revision Date Description
1.0 Jan 27, 2019 Initial version
1.1 Mar 20, 2019 Simplify setup procedures
1.2 May 16, 2019 - Add guideline how to setup enable SSH login with root account
- Update post install steps to install python, setup git and Oracle Java

©2018-2019 Arrive Technologies All Rights Reserved Page 3 of 16

Overview
This document is to describe all of steps to setup server and run IPsec inline demo. The demo.tar.gz package contains:
■ demo script to simplify OS installation, build process, demo procedures, …
■ Source codes of all applications: VPP, TRex, DPDK, ATBAY, AES-NI
■ Script templates to generate scripts appropriated to new server
■ FPGA (.sof ) to load into the cards
■ FPGA License file
The demo script will be used to setup OS, setup workspace for compiling so ware and generate scripts. It is also used to run
VPP/TRex including TRex GUI. Below are its commands to be used, more detail of these commands will be discussed later.
■ demo setup : to setup everything a er OS has been installed. This command will do:
♦ Install all of libraries, tools
♦ Build VPP and TRex
♦ Install Quartus FPGA programming tool.
♦ Load FPGAs
■ demo run vpp : run VPP
■ demo run trex : run TRex server
■ demo run trex-gui : run TRex client GUI

©2018-2019 Arrive Technologies All Rights Reserved Page 4 of 16

Server setup guide
Load FPGA
demo script can help to simplify FPGA loading procedure in case there is USB port on server so that mini USB cable can be
used
■ Make sure that mini USB cables are connected to two cards. One cable is still fine and the script will ask to
connect to other card when finish loading FPGA on one card.
■ Install FPGA programming tool Quatus which is included in the package. Quastus installed path can be declared
with option --quartus-install-dir . If this not input, then Quartus is installed in {curDir}/intelFPGA_pro/18.1.

# Install Quatus
/home/intel/demo setup --quartus

■ Load FPGA and reboot

# Load image to cards
/home/intel/demo setup --load-fpga --fpga-sof=<path/to/fpga.sof> --reboot

Post install
This step will install all of libraries, tools, so ware source code, … enough to run the demo.
■ Make sure FPGA has been loaded on two MAP cards.
■ A er booting up, from the boot console, use ifconfig to see what IP of the network interface and use it to ssh
to. In this document, account intel/******** will be used.
■ On local machine, use scp to transfer the demo.tar.gz to this server. Example: scp
<path/to/demo.tar.gz> intel@<serverIP>:/home/intel/
■ On local machine, use PuTTY or any of other terminal client to ssh to this server with intel/********
account. Then run below commands:

cd /home/intel
tar -xzf demo.tar.gz
chmod +x prepare demo

# Install python and pip if needed

sudo ./prepare

# Setup git just because VPP build system require this.

git config --global user.email "your_valid_email@company.com"
git config --global user.name "Your name"

# Setup all of necessary things

sudo ./demo setup --workspace

This full setup may take 10 minutes or even longer depend on network speed.
Install Oracle Java
As JavaFX is required to run TRex GUI and OpenJDK does not have this, so Oracle Java 8 is required. Use below command to
install Oracle Java tar ball which is included in demo package:

sudo ./demo setup --oracle-java

©2018-2019 Arrive Technologies All Rights Reserved Page 5 of 16

Cores isolation
In order to maximize throughput, cores which are used for TRex and VPP need to be isolated, choosing which CPUs to
isolate requires careful consideration of the CPU topology of the system and the PCIe slots which MAP cards reside. demo
script can help to choose cores to be isolated corresponding to the numa node that cards reside and update
/etc/default/grub to do the isolation, current grub file is backed up to /etc/default/grub_demo_backup before
being updated, reboot is required to make change affect.

sudo ./demo setup --isolate-cores --reboot

Cards license
Assume post install is complete and server is reboot. In case of new MAP cards, BAY hardware license is required to run
DPDK-based applications. The license.key included in this demo package contains keys that can be used to activate the
cards. To check if current cards already have associated keys, then use the command sudo /home/intel/demo show
card_license . For cards that do not have associated license information, please send email to Arrive Technologies
Vietnam to ask for generating card licenses, then replace the license.key by new file.
The sudo /home/intel/demo show card_license will display activate status (active or not-active ) and this
does not matter as when running VPP or TRex, the demo script will activate the card before running those applications.

©2018-2019 Arrive Technologies All Rights Reserved Page 6 of 16

Run the demo
This step requires license is fully setup.
Demo model
TRex TRex VPP
Packet generator Packet analyzer

DPDK DPDK
BAY PMD BAY PMD

Arrive BAY Arrive BAY

MAP-80/100 MAP-80/100

Enc r y pt D e c r y pt Enc r y pt D e c r y pt

8x10GE Tx 8x10GE Rx 8x10GE Tx 8x10GE Rx

Figure 4- 1 - IPsec inline

Above figure show Hardware IPsec inline model where traffic is encrypted/decrypted inline by hardware.

TRex TRex VPP

Packet generator Packet analyzer

DPDK DPDK

BAY PMD BAY PMD AES-NI PMD

Arrive BAY Arrive BAY

MAP-80/100 MAP-80/100 D e c r y pt Enc r y pt

Enc r y pt D e c r y pt C r y pt o by pass AES-NI Crypto

8x10GE Tx 8x10GE Rx 8x10GE Tx 8x10GE Rx

Figure 4- 2 - IPsec lookaside with AESNI

Above figure show IPsec lookaside model where traffic is enqueued to AESNI Crypto PMD for encrypting/decrypting and
dequeue from that to have encrypted/decrypted traffic.
Connecting to the server
■ If server’s desktop is not being used directly, VNC is a good choice, how to setup VNC on RHEL7 is beyond scope of
this document.
Run VPP
Run with hardware Inline IPsec
# To run GCM-128, 1 core per port
sudo /home/intel/demo run vpp --cores-per-port 1 --gcm-mode gcm_128

# To run GCM-128, 2 core per port

sudo /home/intel/demo run vpp --cores-per-port 2 --gcm-mode gcm_128

# To run GCM-256, 1 core per port

sudo /home/intel/demo run vpp --cores-per-port 1 --gcm-mode gcm_256

©2018-2019 Arrive Technologies All Rights Reserved Page 7 of 16

 # To run GCM-256, 2 core per port
sudo /home/intel/demo run vpp --cores-per-port 2 --gcm-mode gcm_256

Run with so ware AESNI IPsec

# To run GCM-128, 1 core per port
sudo /home/intel/demo run vpp --cores-per-port 1 --gcm-mode gcm_128 --with -aesni

# To run GCM-128, 2 core per port

sudo /home/intel/demo run vpp --cores-per-port 2 --gcm-mode gcm_128 --with -aesni

# To run GCM-256, 1 core per port

sudo /home/intel/demo run vpp --cores-per-port 1 --gcm-mode gcm_256 --with -aesni

# To run GCM-256, 2 core per port

sudo /home/intel/demo run vpp --cores-per-port 2 --gcm-mode gcm_256 --with -aesni

Running TRex
TRex server
# To run GCM-128
sudo /home/intel/demo run trex --gcm-mode gcm_128

# To run GCM-256
sudo /home/intel/demo run trex --gcm-mode gcm_256

TRex GUI
Assume that VNC connection has been established, open new terminal to start TRex GUI by below command:

sudo /home/intel/demo run trex-gui

The connect to localhost as below UI:

©2018-2019 Arrive Technologies All Rights Reserved Page 8 of 16

 Figure 7- 1 - TRex GUI connect

Setup profile
TRex profiles need to be load to start traffic generating with different payload sizes and streams. Once profiles are load, they
will be stored locally in TRex private folder to avoid loading traffic profiles every time TRex GUI runs.
All of traffic profiles are stored at scripts_template/trex_2tunnel_per_port/256_streams_2_tunnel relative
folder. Need to change the preference to point to this folder as profile default loading path as below:

Figure 7- 2 - Go to preference

Below screen appears to specify the location to load profiles from.

©2018-2019 Arrive Technologies All Rights Reserved Page 9 of 16

 Figure 7- 3 - Preference

Just navigate to scripts_template/trex_2tunnel_per_port/256_streams_2_tunnel or simply input

/home/intel/scripts_template/trex_2tunnel_per_port/256_streams_2_tunnel and press OK .
Go to traffic profiles menu as below:

Figure 7- 4 - Go to traffic profiles

Below screen appears with no profiles loaded.

Figure 7- 5 - Profiles main window

©2018-2019 Arrive Technologies All Rights Reserved Page 10 of 16

Pressing Load Profile brings the GUI to select profiles to be load. Each payload size will have 8 profiles for 8 ports. Just
select them all. Below screen shows 512B profiles for 8 ports. Note, below figure is just an example and the path in the
below should be
/home/intel/scripts_template/trex_2tunnel_per_port/256_streams_2_tunnel/512_bytes

Figure 7- 6 - 512B profile

Select all of profiles to load. A er loading all of 8 profiles of 512B for 8 ports, we have below result.

Figure 7- 7 - 512B profile

Just repeat this procedure to load traffic profiles for packet sizes that need to run. Then close the Traffic Profiles
window to start traffic with next section.
Start traffic
Need to acquire all ports to specify their traffic profiles.

©2018-2019 Arrive Technologies All Rights Reserved Page 11 of 16

 Figure 7- 8 - TRex GUI port acquire

Then select profile for each port.

Figure 7- 9 - TRex GUI select port profile

Adjust port bandwidth to 100%.

©2018-2019 Arrive Technologies All Rights Reserved Page 12 of 16

 Figure 7- 10 - TRex GUI adjust port bandwidth

Now follow the same way on remaining ports. The below table is ID mapping between port ID and TRex port ID.

Port ID TRex Port ID

1 0
2 2
3 4
4 6
5 8
6 10
7 12
8 14

IMPORTANT: Profile of one port CANNOT be used for other port. Doing so will make both
TRex GUI and Server malfunction and need to restart both of them.
Having all profiles setup on all ports, start traffic on all of them as below figure.

©2018-2019 Arrive Technologies All Rights Reserved Page 13 of 16

 Figure 7- 11 - TRex GUI start traffic

Finally, open dashboard to see how traffic is running.

Figure 7- 12 - TRex GUI dash board

It looks like below:

©2018-2019 Arrive Technologies All Rights Reserved Page 14 of 16

 Figure 7- 13 - TRex GUI dash board - total BW

©2018-2019 Arrive Technologies All Rights Reserved Page 15 of 16

Developing
This section guides how to build VPP/TRex just in case if they need to be updated.
Build VPP/DPDK
# Build
/home/intel/demo build --vpp

# Or rebuild
/home/intel/demo build --vpp --rebuild

Build TRex
# Build
/home/intel/demo build --trex

# Or rebuild
/home/intel/demo build --trex --rebuild

©2018-2019 Arrive Technologies All Rights Reserved Page 16 of 16