Fortinet white logo
Fortinet white logo

SR-IOV

SR-IOV

FortiGate-VMs installed on Microsoft Hyper-V platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Microsoft Hyper-V host software and without using virtual switching.

FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Microsoft Hyper-V features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).

Setting up SR-IOV on Microsoft Hyper-V involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.

SR-IOV hardware compatibility

SR-IOV requires that the hardware and operating system on which your Microsoft Hyper-V host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your Microsoft Hyper-V platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with the supported drivers. See PF and VF SR-IOV driver and virtual SPU support for supported driver versions. As well, the host hardware CPUs must support second level address translation (SLAT).

For optimal SR-IOV support, install the most up to date network drivers. Fortinet recommends i40e/Iavf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.

Creating an SR-IOV virtual switch

Begin configuring SR-IOV by creating a Microsoft Hyper-V external virtual switch with SR-IOV support. You can use the Microsoft Hyper-V Manager or PowerShell command line.

Note

You can only add SR-IOV to a new virtual switch. You cannot modify an existing virtual switch to enable SR-IOV and you cannot disable SR-IOV for a virtual switch that was already added. To add or remove SR-IOV from a virtual switch you must delete it, then readd it.

From the Microsoft Hyper-V Manager:
  1. Open the Virtual Switch Manager.
  2. Create a new virtual switch.
  3. Add a name and other settings as required.
  4. Set the Connection type to External network and select Enable single-root I/O virtualization (SR-IOV).
From PowerShell:
  1. Enter the Get-NetAdapter command to view the list of available network adapters.
  2. Enter the following command to add a new virtual switch:

    New-VMSwitch <virtual-switch-name> -netadaptername <network-adapter-name> -EnableIov $true

    Where <virtual-switch-name> is the name of the virtual switch that you are creating, and <network-adapter-name> is the name of the network adapter that you are binding the virtual switch to.

Enabling SR-IOV for a FortiGate-VM

The following procedure requires shutting down and restarting the FortiGate-VM. Therefore, you should perform it during a quiet time or maintenance window when the network is not busy.

From the Microsoft Hyper-V Manager:
  1. Open the FortiGate-VM settings, expand the Network Adapter node, and select Hardware Acceleration.
  2. On the Hardware Acceleration page, select Enable SR-IOV.
From PowerShell:

Set-VMNetworkAdapter IOV8250 -IovWeight 50 -Passthru | fl "iov", "status", "virtualfunction"

SR-IOV

SR-IOV

FortiGate-VMs installed on Microsoft Hyper-V platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Microsoft Hyper-V host software and without using virtual switching.

FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Microsoft Hyper-V features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).

Setting up SR-IOV on Microsoft Hyper-V involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.

SR-IOV hardware compatibility

SR-IOV requires that the hardware and operating system on which your Microsoft Hyper-V host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your Microsoft Hyper-V platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with the supported drivers. See PF and VF SR-IOV driver and virtual SPU support for supported driver versions. As well, the host hardware CPUs must support second level address translation (SLAT).

For optimal SR-IOV support, install the most up to date network drivers. Fortinet recommends i40e/Iavf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.

Creating an SR-IOV virtual switch

Begin configuring SR-IOV by creating a Microsoft Hyper-V external virtual switch with SR-IOV support. You can use the Microsoft Hyper-V Manager or PowerShell command line.

Note

You can only add SR-IOV to a new virtual switch. You cannot modify an existing virtual switch to enable SR-IOV and you cannot disable SR-IOV for a virtual switch that was already added. To add or remove SR-IOV from a virtual switch you must delete it, then readd it.

From the Microsoft Hyper-V Manager:
  1. Open the Virtual Switch Manager.
  2. Create a new virtual switch.
  3. Add a name and other settings as required.
  4. Set the Connection type to External network and select Enable single-root I/O virtualization (SR-IOV).
From PowerShell:
  1. Enter the Get-NetAdapter command to view the list of available network adapters.
  2. Enter the following command to add a new virtual switch:

    New-VMSwitch <virtual-switch-name> -netadaptername <network-adapter-name> -EnableIov $true

    Where <virtual-switch-name> is the name of the virtual switch that you are creating, and <network-adapter-name> is the name of the network adapter that you are binding the virtual switch to.

Enabling SR-IOV for a FortiGate-VM

The following procedure requires shutting down and restarting the FortiGate-VM. Therefore, you should perform it during a quiet time or maintenance window when the network is not busy.

From the Microsoft Hyper-V Manager:
  1. Open the FortiGate-VM settings, expand the Network Adapter node, and select Hardware Acceleration.
  2. On the Hardware Acceleration page, select Enable SR-IOV.
From PowerShell:

Set-VMNetworkAdapter IOV8250 -IovWeight 50 -Passthru | fl "iov", "status", "virtualfunction"