SR-IOV
FortiGate-VMs installed on Microsoft Hyper-V platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Microsoft Hyper-V host software and without using virtual switching.
FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Microsoft Hyper-V features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).
Setting up SR-IOV on Microsoft Hyper-V involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.
SR-IOV hardware compatibility
SR-IOV requires that the hardware and operating system on which your Microsoft Hyper-V host is running has BIOS, physical NIC, and network driver support for SR-IOV.
To enable SR-IOV, your Microsoft Hyper-V platform must run on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with the supported drivers. See PF and VF SR-IOV driver and virtual SPU support for supported driver versions. As well, the host hardware CPUs must support second level address translation (SLAT).
For optimal SR-IOV support, install the most up-to-date network drivers. Fortinet recommends i40e/Iavf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.
Creating an SR-IOV virtual switch
Begin configuring SR-IOV by creating a Microsoft Hyper-V external virtual switch with SR-IOV support. You can use the Microsoft Hyper-V Manager or PowerShell command line.
You can only add SR-IOV to a new virtual switch. You cannot modify an existing virtual switch to enable SR-IOV and you cannot disable SR-IOV for a virtual switch that was already added. To add or remove SR-IOV from a virtual switch you must delete it, then readd it. |
From the Microsoft Hyper-V Manager:
- Open the Virtual Switch Manager.
- Create a new virtual switch.
- Add a name and other settings as required.
- Set the Connection type to External network and select Enable single-root I/O virtualization (SR-IOV).
From PowerShell:
- Enter the
Get-NetAdapter
command to view the list of available network adapters. - Enter the following command to add a new virtual switch:
New-VMSwitch <virtual-switch-name> -netadaptername <network-adapter-name> -EnableIov $true
Where
<virtual-switch-name>
is the name of the virtual switch that you are creating, and<network-adapter-name>
is the name of the network adapter that you are binding the virtual switch to.
Enabling SR-IOV for a FortiGate-VM
The following procedure requires shutting down and restarting the FortiGate-VM. Therefore, you should perform it during a quiet time or maintenance window when the network is not busy.
From the Microsoft Hyper-V Manager:
- Open the FortiGate-VM settings, expand the Network Adapter node, and select Hardware Acceleration.
- On the Hardware Acceleration page, select Enable SR-IOV.
From PowerShell:
Set-VMNetworkAdapter IOV8250 -IovWeight 50 -Passthru | fl "iov", "status", "virtualfunction"