Fortinet black logo

New Features

Inspect double-tagged traffic on virtual wire pairs 6.4.9

Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:736438
Download PDF

Inspect double-tagged traffic on virtual wire pairs 6.4.9

Double-tagged (802.1Q and 802.1Q) traffic can be inspected on a virtual wire pair with wildcard VLANs. The NPU has been optimized to receive packet steering and configure traffic distribution on the Integrated Switch Fabric (ISF) to achieve higher throughput. This feature is supported on FG-3400E, FG-3401E, FG-3600E, and FG-3601E models.

In this example, the FortiGate interfaces are part of a virtual wire pair. The FortiGate receives packets that are double-tagged with two 802.1Q tags with 0x8100 frames. A virtual wire pair policy using wildcard VLANs is able to inspect the payload within the internal tag.

Affinity fine-tuning, also known as receive packet steering (RPS) can be configured. This fine-tuning allows users to configure the interface receive queue mapping to different CPU cores, which evenly distributes packets among different cores and improves performance.

config system affinity-packet-redistribution
    edit <id>
        set interface <string>
        set rxqid <integer>
        set affinity-cpumask <hexadecimal>  
    next
end

interface <string>

Enter the name of the physical interface to perform packet redistribution on.

rxqid <integer>

Enter the ID of the receive queue (when the interface has multiple queues) to perform packet redistribution on.

affinity-cpumask <hexadecimal>

Enter the affinity setting for VM throughput (64-bit hexadecimal value, 0xXXXXXXXXXXXXXXXX).

Packet distribution is allowed to occur on the ISF using a round-robin algorithm to get higher throughput.

config system npu
    set isf-np-rx-tr-distr {port-flow | round-robin | randomized}
    set rps-mode {enable | disable}
end

isf-np-rx-tr-distr {port-flow | round-robin | randomized}

Set the traffic distribution type in the ISF:

  • port-flow: enhanced hashing
  • round-robin: round-robin member selection
  • randomized: randomized load balancing mode

rps-mode {enable | disable}

Enable/disable NPU receive packet steering (RPS) optimization mode.

Inspect double-tagged traffic on virtual wire pairs 6.4.9

Double-tagged (802.1Q and 802.1Q) traffic can be inspected on a virtual wire pair with wildcard VLANs. The NPU has been optimized to receive packet steering and configure traffic distribution on the Integrated Switch Fabric (ISF) to achieve higher throughput. This feature is supported on FG-3400E, FG-3401E, FG-3600E, and FG-3601E models.

In this example, the FortiGate interfaces are part of a virtual wire pair. The FortiGate receives packets that are double-tagged with two 802.1Q tags with 0x8100 frames. A virtual wire pair policy using wildcard VLANs is able to inspect the payload within the internal tag.

Affinity fine-tuning, also known as receive packet steering (RPS) can be configured. This fine-tuning allows users to configure the interface receive queue mapping to different CPU cores, which evenly distributes packets among different cores and improves performance.

config system affinity-packet-redistribution
    edit <id>
        set interface <string>
        set rxqid <integer>
        set affinity-cpumask <hexadecimal>  
    next
end

interface <string>

Enter the name of the physical interface to perform packet redistribution on.

rxqid <integer>

Enter the ID of the receive queue (when the interface has multiple queues) to perform packet redistribution on.

affinity-cpumask <hexadecimal>

Enter the affinity setting for VM throughput (64-bit hexadecimal value, 0xXXXXXXXXXXXXXXXX).

Packet distribution is allowed to occur on the ISF using a round-robin algorithm to get higher throughput.

config system npu
    set isf-np-rx-tr-distr {port-flow | round-robin | randomized}
    set rps-mode {enable | disable}
end

isf-np-rx-tr-distr {port-flow | round-robin | randomized}

Set the traffic distribution type in the ISF:

  • port-flow: enhanced hashing
  • round-robin: round-robin member selection
  • randomized: randomized load balancing mode

rps-mode {enable | disable}

Enable/disable NPU receive packet steering (RPS) optimization mode.