Fortinet black logo

Handbook

Home FortiADC 7.4.3 Handbook
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Interface

Interface

The Network > Interface sub-menu allows you to perform the following tasks relating to the network interface:

Interface Overview

This section covers the following topics:

Physical interfaces

Each physical network port (or vNIC on FortiADC-VM) has a network interface that directly corresponds to it—that is, a “physical network interface.”

Physical ports have three uses:

  • Management—The network interface named port1 is typically used as the management interface.
  • HA—If you plan to deploy HA, you must reserve a physical port for HA heartbeat and synchronization traffic. Do not configure the network interface that will be used for HA; instead, leave it unconfigured or “reserved” for HA.
  • Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.”

Traffic interfaces can be associated with logical interfaces. The system supports two types of logical interfaces: VLAN and aggregate. Physical and logical interfaces illustrates how physical ports are associated with physical and logic interfaces.

Physical and logical interfaces

With VLANs, multiple VLAN logical interfaces are associated with a single physical port. With link aggregation, it is the reverse: multiple physical interfaces are associated with a single aggregate logical interface.

Physical network interfaces lists factory default IP addresses for physical network interfaces.

Physical network interfaces
Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask
port1 192.168.1.99/24 ::/0
port2 0.0.0.0/0 ::/0
port3 0.0.0.0/0 ::/0
port4 0.0.0.0/0 ::/0
...
Connectivity layers that will be considered when distributing frames among the aggregated physical ports:

  • Layer 2
  • Layer 2-3
  • Layer 3-4

VLAN interface

You can use IEEE 802.1q VLAN to reduce the size of a broadcast domain, thereby reducing the amount of broadcast traffic received by network hosts and improving network performance.

Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.

The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. FortiADC appliances handle VLAN header addition automatically, so you do not need to adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, a VLAN tag might be added, removed, or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch typically adds or removes a tag when forwarding traffic among members of the VLAN, but does not route tagged traffic to a different VLAN ID. In contrast, a FortiADC content-based routing policy might forward traffic between different VLAN IDs (also known as inter-VLAN routing).

Note: VLANs are not designed to be a security measure, and should not be used where untrusted devices and/or individuals outside of your organization have access to the equipment. VLAN tags are not authenticated, and can be ignored or modified by attackers. VLAN tags rely on the voluntary compliance of the receiving host or switch.

Aggregate interface

Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiADC would normally do with a single network interface per physical port). This multiplies the bandwidth that is available to the network interface, and therefore is useful if FortiADC is deployed inline with your network backbone.

Link aggregation on FortiADC complies with IEEE 802.1ax and IEEE 802.3ad and distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregation fails, traffic is redistributed automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or multicast traffic is received on a port in the aggregation, reverse traffic will return on the same port.

When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that belong to an HTTP request can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this (especially TCP, which may decrease network performance by requesting retransmission when the expected segment does not arrive), FortiADC’s frame distribution algorithm is configurable. For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring FortiADC to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP connection (Layer 4), not simply the MAC address (Layer 2).

You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device to which FortiADC is connected with the same speed/duplex settings, and it must have ports that can be aggregated. In a deployment like this, the two devices use the cables between the ports to form a trunk, not an accidental Layer 2 (link) network loop. FortiADC uses LACP to detect the following conditions:

  • Suitable links between itself and the other device, and form a single logical link.
  • Individual port failure so that the aggregate interface can redistribute queuing to avoid a failed port.

Loopback interface

A loopback interface is a virtual interface. Like any other interface, a loopback interface can be assigned an address of its own. Unlike any other interface, a loopback interface, once configured, is always up and available. Because a loopback interface never goes down, it is often used for troubleshooting, i.e., the FortiADC appliance, in our case.

In addition, loopback interfaces are also used by BGP and OSPF protocols to determine properties specific to the protocols for a device or network.

Softswitch

A softswitch, or software switch, is a virtual switch that is implemented at the software or firmware level rather than the hardware level. It can be used to simplify communication between devices connected to different FortiADC interfaces. For example, using a softswitch, you can place the FortiADC interface connected to an internal network on the same subnet as your wireless interfaces. This allows devices on the internal network to communicate with devices on the wireless network without any additional configuration.

A softswitch can also be useful if you require more hardware ports for the switch on a FortiADC unit. For example, if your FortiADC has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create a softswitch that includes the 4-port switch and the DMZ interface all on the same subnet. Such applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces.

Similar to a hardware switch, a softswitch functions like a single interface. It has one IP address, and all interfaces in the softswitch are on the same subnet. Traffic between devices connected to each interface is not regulated by security policies, and traffic passing in and out of the switch is affected by the same policy. For more information, see the FortiADC Transparent Mode Configuration Guide.

Previous
Next

Interface

The Network > Interface sub-menu allows you to perform the following tasks relating to the network interface:

Interface Overview

This section covers the following topics:

Physical interfaces

Each physical network port (or vNIC on FortiADC-VM) has a network interface that directly corresponds to it—that is, a “physical network interface.”

Physical ports have three uses:

  • Management—The network interface named port1 is typically used as the management interface.
  • HA—If you plan to deploy HA, you must reserve a physical port for HA heartbeat and synchronization traffic. Do not configure the network interface that will be used for HA; instead, leave it unconfigured or “reserved” for HA.
  • Traffic—The remaining physical ports can be used for your target traffic—these are your “traffic interfaces.”

Traffic interfaces can be associated with logical interfaces. The system supports two types of logical interfaces: VLAN and aggregate. Physical and logical interfaces illustrates how physical ports are associated with physical and logic interfaces.

Physical and logical interfaces

With VLANs, multiple VLAN logical interfaces are associated with a single physical port. With link aggregation, it is the reverse: multiple physical interfaces are associated with a single aggregate logical interface.

Physical network interfaces lists factory default IP addresses for physical network interfaces.

Physical network interfaces
Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask
port1 192.168.1.99/24 ::/0
port2 0.0.0.0/0 ::/0
port3 0.0.0.0/0 ::/0
port4 0.0.0.0/0 ::/0
...
Connectivity layers that will be considered when distributing frames among the aggregated physical ports:

  • Layer 2
  • Layer 2-3
  • Layer 3-4

VLAN interface

You can use IEEE 802.1q VLAN to reduce the size of a broadcast domain, thereby reducing the amount of broadcast traffic received by network hosts and improving network performance.

Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect. Instead, VLAN-compliant switches restrict broadcast traffic based upon whether its VLAN ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast domains as if they were close.

The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN. FortiADC appliances handle VLAN header addition automatically, so you do not need to adjust the maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, a VLAN tag might be added, removed, or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch typically adds or removes a tag when forwarding traffic among members of the VLAN, but does not route tagged traffic to a different VLAN ID. In contrast, a FortiADC content-based routing policy might forward traffic between different VLAN IDs (also known as inter-VLAN routing).

Note: VLANs are not designed to be a security measure, and should not be used where untrusted devices and/or individuals outside of your organization have access to the equipment. VLAN tags are not authenticated, and can be ignored or modified by attackers. VLAN tags rely on the voluntary compliance of the receiving host or switch.

Aggregate interface

Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiADC would normally do with a single network interface per physical port). This multiplies the bandwidth that is available to the network interface, and therefore is useful if FortiADC is deployed inline with your network backbone.

Link aggregation on FortiADC complies with IEEE 802.1ax and IEEE 802.3ad and distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregation fails, traffic is redistributed automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or multicast traffic is received on a port in the aggregation, reverse traffic will return on the same port.

When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that belong to an HTTP request can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this (especially TCP, which may decrease network performance by requesting retransmission when the expected segment does not arrive), FortiADC’s frame distribution algorithm is configurable. For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring FortiADC to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP connection (Layer 4), not simply the MAC address (Layer 2).

You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device to which FortiADC is connected with the same speed/duplex settings, and it must have ports that can be aggregated. In a deployment like this, the two devices use the cables between the ports to form a trunk, not an accidental Layer 2 (link) network loop. FortiADC uses LACP to detect the following conditions:

  • Suitable links between itself and the other device, and form a single logical link.
  • Individual port failure so that the aggregate interface can redistribute queuing to avoid a failed port.

Loopback interface

A loopback interface is a virtual interface. Like any other interface, a loopback interface can be assigned an address of its own. Unlike any other interface, a loopback interface, once configured, is always up and available. Because a loopback interface never goes down, it is often used for troubleshooting, i.e., the FortiADC appliance, in our case.

In addition, loopback interfaces are also used by BGP and OSPF protocols to determine properties specific to the protocols for a device or network.

Softswitch

A softswitch, or software switch, is a virtual switch that is implemented at the software or firmware level rather than the hardware level. It can be used to simplify communication between devices connected to different FortiADC interfaces. For example, using a softswitch, you can place the FortiADC interface connected to an internal network on the same subnet as your wireless interfaces. This allows devices on the internal network to communicate with devices on the wireless network without any additional configuration.

A softswitch can also be useful if you require more hardware ports for the switch on a FortiADC unit. For example, if your FortiADC has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create a softswitch that includes the 4-port switch and the DMZ interface all on the same subnet. Such applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces.

Similar to a hardware switch, a softswitch functions like a single interface. It has one IP address, and all interfaces in the softswitch are on the same subnet. Traffic between devices connected to each interface is not regulated by security policies, and traffic passing in and out of the switch is affected by the same policy. For more information, see the FortiADC Transparent Mode Configuration Guide.

Previous
Next