Fortinet black logo

Hardware Acceleration

FortiGate 3960E fast path architecture

FortiGate 3960E fast path architecture

The FortiGate 3960E features sixteen front panel 10GigE SFP+ interfaces (1 to 16) and six 100GigE QSFP+ interfaces (17 to 22) connected to sixteen NP6 processors through an Integrated Switch Fabric (ISF).

The FortiGate 3960E includes sixteen NP6 processors (NP6_0 to NP6_15). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors.

The FortiGate 3960E ISF consists of two ISF switches connected by four 100GigE inter-ISF links. Interfaces 1 to 16 are connected to one ISF switch and interfaces 17 to 22 are connected to the other ISF switch. Because of the inter-ISF links, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

Note

When creating LAG interfaces, all of the interfaces in the LAG must be connected to the same ISF switch. Fast path offloading is not supported for LAGs that include interfaces connected to different ISF switches. To support offloading, a FortiGate 3960E LAG can only include interfaces 1 to 16 or interfaces 17 to 22.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU). The separation of management traffic from data traffic keeps management traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3960E NP6 configuration. The command output shows all NP6s connected to each interface (port) with cross-chip offloading supported for each port. You can also use the diagnose npu np6 port-list command to display this information.

diagnose npu np6 port-list
Chip   XAUI Ports    Max     Cross-chip 
                     Speed   offloading 
------ ---- -------  ------  ---------- 
NP#0-7  0-3  port1   10000M  Yes
NP#0-7  0-3  port2   10000M  Yes
NP#0-7  0-3  port3   10000M  Yes
NP#0-7  0-3  port4   10000M  Yes
NP#0-7  0-3  port5   10000M  Yes
NP#0-7  0-3  port6   10000M  Yes
NP#0-7  0-3  port7   10000M  Yes
NP#0-7  0-3  port8   10000M  Yes
NP#0-7  0-3  port9   10000M  Yes
NP#0-7  0-3  port10  10000M  Yes
NP#0-7  0-3  port11  10000M  Yes
NP#0-7  0-3  port12  10000M  Yes
NP#0-7  0-3  port13  10000M  Yes
NP#0-7  0-3  port14  10000M  Yes
NP#0-7  0-3  port15  10000M  Yes
NP#0-7  0-3  port16  10000M  Yes
NP#0-7  0-3  port17  100000M Yes
NP#0-7  0-3  port18  100000M Yes
NP#8-15 0-3  port19  100000M Yes
NP#8-15 0-3  port20  100000M Yes
NP#8-15 0-3  port21  100000M Yes
NP#8-15 0-3  port22  100000M Yes
-------------------- ---- ------ ------- ---------- 

For information about optimizing FortiGate 3960E IPsec VPN performance, see Optimizing FortiGate 3960E and 3980E IPsec VPN performance.

For information about supporting large traffic streams, see FortiGate 3960E and 3980E support for high throughput traffic streams.

FortiGate 3960E fast path architecture

The FortiGate 3960E features sixteen front panel 10GigE SFP+ interfaces (1 to 16) and six 100GigE QSFP+ interfaces (17 to 22) connected to sixteen NP6 processors through an Integrated Switch Fabric (ISF).

The FortiGate 3960E includes sixteen NP6 processors (NP6_0 to NP6_15). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors.

The FortiGate 3960E ISF consists of two ISF switches connected by four 100GigE inter-ISF links. Interfaces 1 to 16 are connected to one ISF switch and interfaces 17 to 22 are connected to the other ISF switch. Because of the inter-ISF links, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

Note

When creating LAG interfaces, all of the interfaces in the LAG must be connected to the same ISF switch. Fast path offloading is not supported for LAGs that include interfaces connected to different ISF switches. To support offloading, a FortiGate 3960E LAG can only include interfaces 1 to 16 or interfaces 17 to 22.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU). The separation of management traffic from data traffic keeps management traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3960E NP6 configuration. The command output shows all NP6s connected to each interface (port) with cross-chip offloading supported for each port. You can also use the diagnose npu np6 port-list command to display this information.

diagnose npu np6 port-list
Chip   XAUI Ports    Max     Cross-chip 
                     Speed   offloading 
------ ---- -------  ------  ---------- 
NP#0-7  0-3  port1   10000M  Yes
NP#0-7  0-3  port2   10000M  Yes
NP#0-7  0-3  port3   10000M  Yes
NP#0-7  0-3  port4   10000M  Yes
NP#0-7  0-3  port5   10000M  Yes
NP#0-7  0-3  port6   10000M  Yes
NP#0-7  0-3  port7   10000M  Yes
NP#0-7  0-3  port8   10000M  Yes
NP#0-7  0-3  port9   10000M  Yes
NP#0-7  0-3  port10  10000M  Yes
NP#0-7  0-3  port11  10000M  Yes
NP#0-7  0-3  port12  10000M  Yes
NP#0-7  0-3  port13  10000M  Yes
NP#0-7  0-3  port14  10000M  Yes
NP#0-7  0-3  port15  10000M  Yes
NP#0-7  0-3  port16  10000M  Yes
NP#0-7  0-3  port17  100000M Yes
NP#0-7  0-3  port18  100000M Yes
NP#8-15 0-3  port19  100000M Yes
NP#8-15 0-3  port20  100000M Yes
NP#8-15 0-3  port21  100000M Yes
NP#8-15 0-3  port22  100000M Yes
-------------------- ---- ------ ------- ---------- 

For information about optimizing FortiGate 3960E IPsec VPN performance, see Optimizing FortiGate 3960E and 3980E IPsec VPN performance.

For information about supporting large traffic streams, see FortiGate 3960E and 3980E support for high throughput traffic streams.