Intel Xeon Scalable 4th Gen Caveats?

Epimpin · Mar 17, 2024, 8:01 AM

Calling out to anyone who may know.

Are there any caveats or pitfalls to know about using 4th gen intel scalable processors with pfSense?
Specifically in a 2 processor (2 socket) configuration.

I want to take advantage of the built in QAT capability in which I will be making another post about but any input on that here would be okay as well.

The CPU I am eyeing is the Intel Xeon Silver 4416+.

I will be anxiously awaiting any input,
Thanks,
Epimpin

Sergei_Shablovsky · Mar 16, 2024, 3:17 AM

@Epimpin
Original Intel QAT 8950 cost old-new stock on eBay in price range $US 30-160 (- BestOffer ;)

So if You have free PCIe slot,- just spend on it. That would be much perfect investment on next 3-5 years (depend on Your bandwidth & secured traffic mix).

Epimpin · Mar 16, 2024, 2:52 AM

@Sergei_Shablovsky
Though I appreciate the input, it DOES NOT relate to what I asked. The card you just mentioned is old as dirt currently and is worthless to me. If I were to invest in a card it would be multiple Intel QAT 8970's minimum (Which are pretty old at this point as well).

What I AM referring to is the 2x and 3x QAT chips on die of the intel scalable processor. I could not decipher from bsd's information whether it was already supported or if its just being worked on so I was hoping to speak with someone who has used 4th or 5th gen scalable with QAT chip procs on pfsense.

JonathanLee · Mar 16, 2024, 2:54 AM

@Epimpin with the intel chipset vs the arm risc you can fully utilize the Snort IPS/IDS inline mode blocking, plus use the rest of the rulesets that arm can not currently utilize.

Epimpin · Mar 16, 2024, 3:50 AM

@JonathanLee That would be nice because I am currently using a cluster of equipment to perform different types of sideband scanning and inline stuff using gigamon equipment. The gigamon stuff is neat but I dont have a million dollars to upgrade and save a couple kw.

I an currently slicing traffic and distributing into mutiple snort ids boxes, suicata, etc, and then sending it to a packet shaping and aggragation layer and re-timing to a distribution layer.

I would love to talk to the snort guys to find out what the "maximize" truely looks like.

To recap and clarify, you can confirm that the intel die based chiplet on die QAT chips are recognized and functional in pfsense?

Sergei_Shablovsky · Mar 16, 2024, 3:24 AM

@Epimpin said in Intel Xeon Scalable 4th Gen Caveats?:

@Sergei_Shablovsky
Though I appreciate the input, it DOES NOT relate to what I asked. The card you just mentioned is old as dirt currently and is worthless to me. If I were to invest in a card it would be multiple Intel QAT 8970's minimum (Which are pretty old at this point as well).

Hm… STH in their reviews say that even one 8970 may sense only on bandwidth > 100Gb.
So, I’m just not imagine why You need several of 8970??? ;)

JonathanLee · Mar 16, 2024, 3:29 AM

@Epimpin I can not confirm that but maybe @stephenw10 can. I wonder also about AVX-512 are 512-bit extensions to the 256-bit Advanced Vector Extensions SIMD instructions. I know SIMD is for encryption purposes like OpenVPN and offboarding to the crypto chip for acceleration.

But to use the full zmm registers etc… that would be wicked cool right?

Epimpin · Mar 17, 2024, 8:04 AM

@Sergei_Shablovsky
I am running a 40Gig network currently and using special gigamon equipment to split my loads out across multiple boxes for an all encompassing solution.

looking to upgrade to 100g 400g or maybe 800g (depending on how soon and at what price point celestica is releasing their 800gb switch).
The 100gb capability is theoretical maximum for the 8970 and the chip can't perform compression or decryption/encryption at that rate.

To meet 100gb for both compression AND encryption at the same time, it would require 5 cards.
To meet or exceed encryption alone it would require 3 or 4 cards alone.

Sergei_Shablovsky · Mar 16, 2024, 3:40 AM

@Epimpin said in Intel Xeon Scalable 4th Gen Caveats?:

@JonathanLee That would be nice because I am currently using a cluster of equipment to perform different types of sideband scanning and inline stuff using gigamon equipment. The gigamon stuff is neat but I dont have a million dollars to upgrade and save a couple kw.

I an currently slicing traffic and distributing into mutiple snort ids boxes, suicata, etc, and then sending it to a packet shaping and aggragation layer and re-timing to a distribution layer.

If You are on so high level that really NEED 3-5 of QAT 8970…may be reasonable just pick up the phone and speak with Intel head office representative or STH ?

Epimpin · Mar 16, 2024, 3:48 AM

@JonathanLee
Okay, No confirmation, you had me all excited there for a second.

It would be hella nice to take full advantage of the intel scalable platform and the
avx-512 design and it would be even cooler if I could use the built in QAT chiplets in the 5th gen + sku's.

But as of right now I don't even know how pfsense or freebsd even behaves with E-cores. I have threads up in multiple support forums for this exact question.

There is a reason why the CPU'S are so expensive to begin with, and it aint their speed. Its the built in high tech functionality and a firewall or ids/ips system could really reap the benefits of ALL of it if it were fully implemented. Not to mention there are special skus that allow the QAT on die to work directly with pcie based QAT chips and even other system and the QAT chiplets can talk directly to an FPGA based intel quickpath 100g nic, totally skipping the chipset.

JonathanLee · Mar 16, 2024, 4:24 AM

Imagine if pfSense ran on a Ciena 6500 system 1.6 Tb/s performance optics. Run it on the management card. Talk about End of the line for bad guy websites. URL blocking right at the isp backbone system. Wouldn’t that be cool? Could the software do hardware convergence with that kind of speed?? Could it run with MPO cables? Who knows.

Epimpin · Mar 16, 2024, 4:40 AM

@JonathanLee
That would be amazing.
More interesting would be inline antivirus and tunneling.
I cant seem to find a pic of Ciena WLe6 optics, do you have any @JonathanLee? Im still on crappy little 40gb cwdm optics.
Who knows is someone that owns the equipment who has tried it. If I owned, I would try.

JonathanLee · Mar 16, 2024, 5:11 AM

@Epimpin No photography sorry.

Epimpin · Mar 16, 2024, 3:38 PM

@JonathanLee
Damn, guess I gotta call my Ciena rep. I am curious as to what config they use to reach 1.6tbps. I mean I can do that all day down a single fiber pair with DWDM but not on a single line card.

stephenw10 · Mar 17, 2024, 8:30 AM

If that's the 4xxx series device it was recently added to the gui: https://redmine.pfsense.org/issues/15233.

Otherwise check the driver for what is supported:
https://github.com/pfsense/FreeBSD-src/blob/devel-main/sys/dev/qat/include/common/adf_accel_devices.h#L12

Epimpin · Mar 17, 2024, 8:30 AM

@stephenw10
Thanks for the response Steve, I believe it is and found out I was not the only one asking for this. :)

I guess we I have to do a little digging about those registers and device names and compare and then try it out.

@stephenw10 How does pfsense handle multiple qat accelerators?

stephenw10 · Mar 17, 2024, 3:44 PM

Good question, I've never seen one to find out. I imagine it would have to be in the QAT driver or possibly the crypto framework.