Fortinet black logo

Hardware Acceleration

The HPE and changing BGP, SLBC, and BFD priority

The HPE and changing BGP, SLBC, and BFD priority

Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP6 processors to reduce the amount of this traffic allowed by the NP6 host protection engine (HPE).

config system npu

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

end

By default, all options are set to enable and BGP, SLBC, and BFD packets are treated by the NP6 as high priority traffic and the HPE adds the HPE pri-type-max overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max overflow. For more information about the NP6 HPE, see config hpe.

Caution

Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again.

If bgp is set to enable (the default), the HPE limits BGP syn packets to tcpsyn-max + pri-type-max pps and limits other BGP traffic to tcp-max + pri-type-max pps. If bgp is set to disable, the HPE limits BGP syn packets to tcpsyn-max pps and other BGP traffic to tcp-max pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.

If slbc is set to enable (the default), the HPE limits SLBC traffic to udp-max + pri-type-max pps. If slbc is set to disable, theHPE limits SLBC traffic to udp-max pps. If your FortiGate is in a SLBC configuration, slbc should be enabled. Otherwise you can choose to disable it.

If bfd is set to enable (the default), the HPE limits BFD traffic to udp-max + pri-type-max pps. If bfd is set to disable, the HPE limits BFD traffic to udp-max pps.

The HPE and changing BGP, SLBC, and BFD priority

Use the following command to adjust the priority of BGP, SLBC, and BFD packets received by NP6 processors to reduce the amount of this traffic allowed by the NP6 host protection engine (HPE).

config system npu

config priority-protocol

set bgp {disable | enable}

set slbc {disable | enable}

set bfd {disable | enable}

end

By default, all options are set to enable and BGP, SLBC, and BFD packets are treated by the NP6 as high priority traffic and the HPE adds the HPE pri-type-max overflow to the allowed packets per second for these traffic types. In some cases, the pri-type-max overflow can allow excessive amounts of BGP, SLBC, and BFD traffic that can cause problems such as route flapping and CPU spikes. If you encounter this problem, or for other reasons you can use the config priority-protocol command to set BGP, SLBC, or BFD traffic to low priority, bypassing the HPE pri-type-max overflow. For more information about the NP6 HPE, see config hpe.

Caution

Changing these traffic types to low priority can cause problems if your FortiGate is actively processing traffic. Fortinet recommends that you make changes with this command during a maintenance window and then monitor your system to make sure its working properly once it gets busy again.

If bgp is set to enable (the default), the HPE limits BGP syn packets to tcpsyn-max + pri-type-max pps and limits other BGP traffic to tcp-max + pri-type-max pps. If bgp is set to disable, the HPE limits BGP syn packets to tcpsyn-max pps and other BGP traffic to tcp-max pps. If your network is using the BGP protocol, you can keep this option enabled to allow for higher volumes of BGP traffic. If your network should not see any BGP traffic you can disable this option to limit BGP traffic to lower pps.

If slbc is set to enable (the default), the HPE limits SLBC traffic to udp-max + pri-type-max pps. If slbc is set to disable, theHPE limits SLBC traffic to udp-max pps. If your FortiGate is in a SLBC configuration, slbc should be enabled. Otherwise you can choose to disable it.

If bfd is set to enable (the default), the HPE limits BFD traffic to udp-max + pri-type-max pps. If bfd is set to disable, the HPE limits BFD traffic to udp-max pps.