Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide

This chapter describes how to configure the vca device driver parameters used by both the Sun Crypto Accelerator 4000 UTP and MMF Ethernet adapters. This chapter contains the following sections:

• Ethernet Device Driver (vca) Parameters
• Setting vca Driver Parameters
• Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM
• Cryptographic and Ethernet Driver Operating Statistics
• Network Configuration

---

Ethernet Device Driver (vca) Parameters

The vca device driver controls the Sun Crypto Accelerator 4000 UTP and MMF Ethernet devices. The vca driver is attached to the UNIX pci name property pci108e,3de8 for the Sun Crypto Accelerator 4000 (108e is the vendor ID and 3de8 is the PCI device ID).

You can manually configure the vca device driver parameters to customize each Sun Crypto Accelerator 4000 device in your system. This section provides an overview of the capabilities of the Sun Crypto Accelerator 4000 Ethernet device used in the board, lists the available vca device driver parameters, and describes how to configure these parameters.

The Sun Crypto Accelerator 4000 Ethernet UTP and MMF PCI adapters are capable of the operating speeds and modes listed in Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM. By default, the vca device operates in autonegotiation mode with the remote end of the link (link partner) to select a common mode of operation for the speed, duplex, and link-clock parameters. The link-clock parameter is applicable only if the board is operating at 1000 Mbps. The vca device can also be configured to operate in forced mode for each of these parameters.

Caution - To establish a proper link, both link partners must operate in either autonegotiation or forced mode for each of the speed, duplex, and link-clock (1000 Mbps only) parameters. If both link partners are not operating in the same mode for each of these parameters, network errors will occur. See Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM.

Driver Parameter Values and Definitions

TABLE 3-1 describes the parameters and settings for the vca device driver.

Advertised Link Parameters

The following parameters determine the transmit and receive speed and duplex link parameters to be advertised by the vca driver to its link partner. TABLE 3-2 describes the operational mode parameters and their default values.

The Sun Crypto Accelerator 4000 UTP adapter advertised link parameters are different from those of the Sun Crypto Accelerator 4000 MMF adapter as shown in TABLE 3-2.

If all of the parameters in TABLE 3-2 are set to 1, autonegotiation uses the highest speed possible. If all of these parameters are set to 0, you receive the following error message:

NOTICE: Last setting will leave vca0 with no link capabilities.

WARNING: vca0: Restoring previous setting.

Flow Control Parameters

The vca device is capable of sourcing (transmitting) and terminating (receiving) pause frames conforming to the IEEE 802.3x Frame Based Link Level Flow Control Protocol. In response to received flow control frames, the vca device is capable of reducing its transmit rate. Alternately, the vca device is capable of sourcing flow control frames, requesting the link partner to reduce its transmit rate if the link partner supports this feature. By default, the driver advertises both transmit and receive pause capability during autonegotiation.

TABLE 3-3 provides flow control keywords and describes their function.

Gigabit Forced Mode Parameter

For Gigabit links, this parameter determines the link-master. Generally, switches are enabled as a link master; in which case, this parameter can remain unchanged. If this is not the case, then the link-master parameter can be used to enable the vca device as a link master.

Interpacket Gap Parameters

The vca device supports the enable-ipg0 programmable mode.

Before transmitting a packet with enable-ipg0 enabled (default), the vca device adds an additional time delay. This delay, set by the ipg0 parameter, is in addition to the delay set by the ipg1 and ipg2 parameters. The additional ipg0 delay reduces collisions.

If enable-ipg0 is disabled, the value of ipg0 is ignored and no additional delay is set. Only the delays set by ipg1 and ipg2 are used. Disable enable-ipg0 if other systems keep sending a large number of continuous packets. Systems that have enable-ipg0 enabled might not have enough time on the network. You can add the additional delay by setting the ipg0 parameter from 0 to 255, which is the media byte-time delay. TABLE 3-5 defines the enable-ipg0 and ipg0 parameters.

The vca device supports the programmable interpacket gap (IPG) parameters ipg1 and ipg2. The total IPG is the sum of ipg1 and ipg2. The total IPG is 0.096 microseconds for the link speed of 1000 Mbps.

TABLE 3-6 lists the default values and allowable values for the IPG parameters.

By default, the driver sets ipg1 to 8-byte time and ipg2 to 4-byte time, which are the standard values. (Byte time is the time it takes to transmit one byte on the link, with a link speed of 1000 Mbps.)

If your network has systems that use longer IPG (the sum of ipg1 and ipg2), and if those machines seem to be slow in accessing the network, increase the values of ipg1 and ipg2 to match the longer IPGs of other machines.

Interrupt Parameters

TABLE 3-7 describes the receive interrupt blanking values.

Random Early Drop Parameters

These parameters provide the ability to drop packets based on the fullness of the receive FIFO. By default, this feature is disabled. When FIFO occupancy reaches a specific range, packets are dropped according to the preset probability. The probability should increase when the FIFO level increases. Control packets are never dropped and are not counted in the statistics.

PCI Bus Interface Parameters

These parameters enable you to modify PCI interface features to gain better PCI interperformance for a given application.

---

Setting vca Driver Parameters

You can set the vca device driver parameters in two ways:

• Using the ndd utility
• Using the vca.conf file

If you use the ndd utility, the parameters are valid only until you reboot the system. This method is good for testing parameter settings.

To set parameters so they remain in effect after you reboot the system, create a
/kernel/drv/vca.conf file and add parameter values to this file when you need to set a particular parameter for a device in the system. See To Set Driver Parameters Using a vca.conf File for details.

Setting Parameters Using the ndd Utility

Use the ndd utility to configure parameters that are valid until you reboot the system.

The following sections describe how you can use the vca driver and the ndd utility to modify (with the -set option) or display (without the -set option) the parameters for each vca device.

Before you use the ndd utility to get or set a parameter for a vca device, you must specify the device instance for the utility.

1. Check the /etc/path_to_inst file to identify the instance number associated with a particular device. Refer to the online manual pages for path_to_inst(4).

# grep vca /etc/path_to_inst

"/pci@8,600000/network@1" 0 "vca"

"/pci@8,700000/network@1" 1 "vca"

In the previous example, the three Sun Crypto Accelerator 4000 Ethernet instances are from the installed adapters. The instance numbers are 0 and 1.

2. Use the instance number to select the device.

# ndd -set /dev/vcaN

The device remains selected until you change the selection.

Noninteractive and Interactive Modes

You can use the ndd utility in two modes:

• Noninteractive
• Interactive

In noninteractive mode, you invoke the utility to execute a specific command. Once the command is executed, you exit the utility. In interactive mode, you can use the utility to get or set more than one parameter value. Refer to the ndd(1M) online manual page for more information.

Using the ndd Utility in Noninteractive Mode

This section describes how to modify and display parameter values.

To modify a parameter value, use the -set option.

If you invoke the ndd utility with the -set option, the utility passes value, which must be specified to the named /dev/vca driver instance, and assigns it to the parameter:

# ndd -set /dev/vcaN parameter value

When you change any adv parameter, a message similar to the following appears:

- link up 1000 Mbps half duplex

To display the value of a parameter, specify the parameter name and omit the value.

When you omit the -set option, a query operation is assumed and the utility queries the named driver instance, retrieves the value associated with the specified parameter, and prints it:

# ndd /dev/vcaN parameter

Using the ndd Utility in Interactive Mode

To modify a parameter value in interactive mode, specify ndd /dev/vcaN, as shown below.

The ndd utility then prompts you for the name of the parameter:

# ndd /dev/vcaN

name to get/set? (Enter the parameter name or ? to view all parameters)

After typing the parameter name, the ndd utility prompts you for the parameter value (see TABLE 3-1 through TABLE 3-9).

To list all the parameters supported by the vca driver, type ndd /dev/vcaN.

(See TABLE 3-1 through TABLE 3-9 for parameter descriptions.)

# ndd /dev/vcaN

name to get/set ? ?

?                             (read only)

instance                      (read and write)

adv-autoneg-cap               (read and write)

adv-1000fdx-cap               (read and write)

adv-1000hdx-cap               (read and write)

adv-100fdx-cap                (read and write)

adv-100hdx-cap                (read and write)

adv-10fdx-cap                 (read and write)

adv-10hdx-cap                 (read and write)

adv-asmpause-cap              (read and write)

adv-pause-cap                 (read and write)

pause-on-threshold            (read and write)

pause-off-threshold           (read and write)

link-master                   (read and write)

enable-ipg0                   (read and write)

ipg0                          (read and write)

ipg1                          (read and write)

ipg2                          (read and write)

rx-intr-pkts                  (read and write)

rx-intr-time                  (read and write)

red-p4k-to-6k                 (read and write)

red-p6k-to-8k                 (read and write)

red-p8k-to-10k                (read and write)

red-p10k-to-12k               (read and write)

tx-dma-weight                 (read and write)

rx-dma-weight                 (read and write)

infinite-burst                (read and write)

disable-64bit                 (read and write)

name to get/set ?

# 

Setting Autonegotiation or Forced Mode

The following link parameters can be set to operate in either autonegotiation or forced mode:

• speed
• duplex
• link-clock

By default, autonegotiation mode is enabled for these link parameters. When either of these parameters are in autonegotiation mode, the vca device communicates with the link partner to negotiate a compatible value and flow control capability. When a value other than auto is set for either of these parameters, no negotiation occurs and the link parameter is configured in forced mode. In forced mode, the value for the speed parameter must match between link partners. See Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM.

If your network equipment does not support autonegotiation, or if you want to force your network speed, duplex, or link-clock parameters, you can disable the autonegotiation mode on the vca device.

1. Set the following driver parameters to the values that are described in the documentation delivered with your link partner device (for example, a switch):

• adv-1000fdx-cap
• adv-1000hdx-cap
• adv-100fdx-cap
• adv-100hdx-cap
• adv-10fdx-cap
• adv-10hdx-cap
• adv-asmpause-cap
• adv-pause-cap

See TABLE 3-2 for the descriptions and possible values of these parameters.

2. Set the adv-autoneg-cap parameter to 0.

# ndd -set /dev/vcaN adv-autoneg-cap 0

When you change any ndd link parameter, a message similar to the following appears:

link up 1000 Mbps half duplex

Setting Parameters Using the vca.conf File

You can also specify the driver parameter properties by adding entries to the vca.conf file in the /kernel/drv directory. The parameter names are the same names listed in Driver Parameter Values and Definitions.

Caution - Do not remove any of the default entries in the /kernel/drv/vca.conf file.

The online manual pages for prtconf(1) and driver.conf(4) include additional details. The next procedure shows an example of setting parameters in a vca.conf file.

Variables defined in the previous section apply to known devices in the system. To set a variable for a Sun Crypto Accelerator 4000 board with the vca.conf file, you must know the following three pieces of information for the device: device name, device parent, and device unit address.

1. Obtain the hardware path names for the vca devices in the device tree.

a. Check the /etc/driver_aliases file to identify the name associated with a particular device.

# grep vca /etc/driver_aliases

vca "pci108e,3de8"

In the previous example, the device name associated with the Sun Crypto Accelerator 4000 software driver (vca) is "pci108e,3de8".

b. Locate the device parent name and device unit address in the
/etc/path_to_inst file.

Refer to the online manual pages for path_to_inst(4).

# grep vca /etc/path_to_inst

"/pci@8,600000/network@1" 0 "vca"

"/pci@8,700000/network@1" 1 "vca"

In the previous example, there are three columns of output: Device path name, instance number, and software driver name.

The device path name in the first line of the previous example is "/pci@8,600000/network@1". Device path names are made up of three parts: Device parent name, device node name, and device unit address. See TABLE 3-10.

To identify a PCI device unambiguously in the vca.conf file, use the entire device path name (parent name, node name, and the unit address) for the device. Refer to the pci(4) online manual page for more information about the PCI device specification.

2. Set the parameters for the vca devices in the /kernel/drv/vca.conf file.

In the following entry, the adv-autoneg-cap parameter is disabled for a particular Sun Crypto Accelerator 4000 Ethernet device.

name="pci108e,3de8" parent="/pci@8,700000" unit-address="1" adv-autoneg-cap=0;

3. Save the vca.conf file.

4. Save and close all files and programs, and exit the windowing system.

5. Shut down and reboot the system.

Setting Parameters for All Sun Crypto Accelerator 4000 vca Devices With the vca.conf File

If you omit the device path name (parent name, node name, and the unit address), the variable is set for all instances of all Sun Crypto Accelerator 4000 Ethernet devices.

1. Add a line in the vca.conf file to change the value of a parameter for all instances by entering parameter=value;.

The following example sets the adv-autoneg-cap parameter to 1 for all instances of all Sun Crypto Accelerator 4000 Ethernet devices:

adv-autoneg-cap=1;

Example vca.conf File

The following is an example vca.conf file:

#

# Copyright 2003 Sun Microsystems, Inc.  All rights reserved.

# Use is subject to license terms.

#

#ident  "@(#)vca.conf   1.3     03/10/13 SMI"

#

# Use the new Solaris 9 ddi-no-autodetach property to prevent the

# driver from being unloaded by the cleanup modunload -i 0.

#

ddi-no-autodetach=1;

---

Enabling Autonegotiation or Forced Mode for Link Parameters With the OpenBoot PROM

The following parameters can be configured to operate in autonegotiation or forced mode at the OpenBoot PROM interface:

To establish a proper link, the speed, duplex, and link-clock (1000 Mbps only) parameters must be configured correctly between the local link and the link partner. Both link partners must operate in either autonegotiation or forced mode for each of the speed, duplex, and link-clock (1000 Mbps only) parameters. A value of auto for any of these parameters configures the link to operate in autonegotiation mode for that parameter. The absence of a parameter at the OpenBoot PROM ok prompt configures that parameter to have a default value of auto. A value other than auto configures the local link to operate in forced mode for that parameter.

When the local link is operating in autonegotiation mode for the speed and duplex parameters at 100 Mbps and below, and both full and half duplexes, then the link partner uses either the 100 Mbps or 10 Mbps speeds with either duplex.

When the speed parameter is operating in forced mode, the value must match the speed value of the link-partner. If the duplex parameter does not match between the local link and the link partner, the link might come up; however, traffic collisions will occur.

When the local link speed parameter is set to autonegotiation and the link partner speed parameter is set to forced, the link might come up depending on whether the speed value can be negotiated between the local link and the link partner. The interface in autonegotiation mode always tries to establish a link (if there is a speed match) at half duplex by default. Because one of the two interfaces is not in autonegotiation mode, the interface in autonegotiation mode detects only the speed parameter; the duplex parameter is not detected. This method is called parallel-detection.

Caution - The establishment of a link with a duplex conflict always leads to traffic collisions.

For a local link parameter to operate in forced mode, the parameter must have a value other than auto. For example, to establish a forced mode link at 100 Mbps with half duplex, type the following at the OpenBoot PROM ok prompt:

ok boot net:speed=100,duplex=half

To establish a forced mode link at 1000 Mbps with half duplex that is a clock master, type the following command at the OpenBoot PROM ok prompt:

ok boot net:speed=1000,duplex=half,link-clock=master

To establish a forced mode for a speed of 10 Mbps and an autonegotiation mode for duplex, type the following at the OpenBoot PROM ok prompt:

ok boot net:speed=10,duplex=auto

You could also type the following at the OpenBoot PROM ok prompt to establish the same local link parameters as the previous example:

ok boot net:speed=10

Refer to the IEEE 802.3 documentation for further details.

---

Cryptographic and Ethernet Driver Operating Statistics

This section describes the statistics presented by the kstat(1M) command.

Cryptographic Driver Statistics

TABLE 3-12 describes the cryptographic driver statistics.

Ethernet Driver Statistics

TABLE 3-13 describes the Ethernet driver statistics.

TABLE 3-14 describes the transmit and receive MAC counters.

The following Ethernet properties (TABLE 3-15) are derived from the intersection of device capabilities and the link partner capabilities.

TABLE 3-16 describes the read-only Media Independent Interface (MII) capabilities. These parameters define the capabilities of the hardware. The Gigabit Media Independent Interface (GMII) supports all of the following capabilities.

Reporting the Link Partner Capabilities

TABLE 3-17 describes the read-only link partner capabilities.

If the link partner is not capable of autonegotiation (when lp-cap-autoneg is 0), the remaining information described in TABLE 3-17 is not relevant and the parameter value is 0.

If the link partner is capable of autonegotiation (when lp-cap-autoneg is 1), then the speed and mode information is displayed when you use autonegotiation and the link partner capabilities.

TABLE 3-18 describes the driver-specific parameters.

As superuser, type the kstat vca:N command:

# kstat vca:N

module: vca                             instance: 0     

name:   vca0                            class:    misc

Where N is the instance number of the vca device. This number should reflect the instance number of the board for which you are running the kstat command.

IPsec In-Line Acceleration Statistics

TABLE 3-19 describes the kernel statistics that are incremented when the board is configured for in-line IPsec hardware acceleration. See Enabling In-Line IPsec Acceleration for instructions on how to configure the board to use the in-line IPsec configuration.

---

Network Configuration

This section describes how to edit the network host files after the adapter has been installed on your system.

Configuring the Network Host Files

After installing the driver software, you must create a hostname.vcaN file for the adapter's Ethernet interface. Note that in the file name hostname.vcaN, N corresponds to the instance number of the vca interface you plan to use. You must also create both an IP address and a host name for its Ethernet interface in the /etc/hosts file.

1. Locate the correct vca interfaces and instance numbers in the /etc/path_to_inst file.

Refer to the online manual pages for path_to_inst(4).

# grep vca /etc/path_to_inst

"/pci@8,600000/network@1" 0 "vca"

The instance number in the previous example is 0.

2. Use the ifconfig(1M) command to set up the adapter's vca interface.

Use the ifconfig command to assign an IP address to the network interface. Type the following at the command line, replacing ip-address with the adapter's IP address:

# ifconfig vcaN plumb ip-address up

Refer to the ifconfig(1M) man page and the Solaris documentation for more information.

• If you want a setup that will remain the same after you reboot, create an
  /etc/hostname.vcaN file, where N corresponds to the instance number of the vca interface you plan to use.

To use the vca interface of the example shown in Step 1, create an
/etc/hostname.vcaN file, where N corresponds to the instance number of the device which is 0 in this example. If the instance number were 1, the file name would be /etc/hostname.vca1.

• Do not create an /etc/hostname.vcaN file for a Sun Crypto Accelerator 4000 interface you plan to leave unused.
• The /etc/hostname.vcaN file must contain the host name for the appropriate vca interface.
• The host name must have an IP address and must be listed in the /etc/hosts file.
• The host name must be different from any other host name of any other interface, for example, /etc/hostname.vca0 and /etc/hostname.vca1 cannot share the same host name.

The following example shows the /etc/hostname.vcaN file required for a system named zardoz that has a Sun Crypto Accelerator 4000 board (zardoz-11).

# cat /etc/hostname.hme0

zardoz

# cat /etc/hostname.vca0

zardoz-11

3. Create an appropriate entry in the /etc/hosts file for each active vca interface.

For example:

# cat /etc/hosts

#

# Internet host table

#

127.0.0.1     localhost

129.144.10.57 zardoz    loghost

129.144.11.83 zardoz-11

---

Configuring IPsec Hardware Acceleration

The board has two configurations of IPsec hardware acceleration: in-line and out-of-band. Both configurations accelerate IPsec cryptographic operations. However, because each method offers different advantages, overall system requirements should be evaluated to determine the appropriate configuration.

Out-of-band is the default IPsec configuration, and is optimized for performance on a multiprocessor system. This configuration offloads DES and 3DES cryptographic functions to the board, and is the preferred configuration on a multiprocessor system for which host processing power is not an issue.

In-line IPsec configuration augments out-of-band functionality with authentication support (MD5 and SHA1), and offloads portions of the host packet processing to the board. By handling the additional packet processing, the board significantly reduces host CPU usage.

Enabling Out-of-Band IPsec Acceleration

Solaris 9 or later is required. Out-of-band is the default configuration for the board. No IPsec configuration or tuning is required to use the board for out-of-band IPsec acceleration in Solaris 9. You simply install the Sun Crypto Accelerator 4000 packages and reboot.

Enabling In-Line IPsec Acceleration

Solaris 9 12/03 or later is required. To configure in-line acceleration, you must change configuration files in both the Solaris software and the vca driver.

1. Enable in-line acceleration in the Solaris software by adding the following entry to the /etc/system configuration file:

set ip:ip_use_dl_cap=1

For the change in the /etc/system file to take effect, the system must be rebooted.

2. Enable in-line acceleration in the vca driver by adding the following entry to the /kernel/drv/vca.conf configuration file:

inline-ipsec=1;

For the change in the /kernel/drv/vca.conf file to take effect, you must either reboot the system or unload and reload the vca driver.

Once in-line acceleration has been enabled, the Solaris software IPsec policies can be configured for the interface with the standard IPsec configuration procedures. For information on configuring IPsec policies in Solaris refer to the IPsec and IKE Administration Guide available at: http://docs.sun.com

In-line acceleration can be used to accelerate both AH and ESP algorithms; however, multiple nested transforms (including AH+ESP) cannot be performed on the board. If multiple transforms are applied, only the outermost transform is performed in-line. The remaining transforms are performed by the Solaris IPsec configuration. These transforms may also be done in hardware (out-of-band) if the KCL IPsec acceleration (SUNWkcl2i.u) package has been installed on a Solaris 9 system.

When the board is configured for IPsec in-line acceleration, additional statistics presented by the kstat(1M) command will be incremented. See TABLE 3-19 for descriptions of the IPsec in-line acceleration kstat statistics.

Sun Crypto Accelerator 4000 Board Version 1.1 Installation and User's Guide

817-3693-10

Copyright © 2004, Sun Microsystems, Inc. All rights reserved.