Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Download PDF
Copy Link

Enhanced load balancing for LAG interfaces for NP6 platforms

For some LAG configurations with some network conditions on FortiGates with NP6 processors, you may find that packets are not evenly distributed among all of the interfaces in a LAG, leading to possible reduced performance. On FortiGate models that have an internal switch fabric (ISF) that supports modifying the distribution algorithm, you can configure enhanced hashing to help distribute traffic evenly across links on LAG interfaces. The enhanced hashing algorithm is based on a 5-tuple hash calculated from the IP Protocol, source IP address, destination IP address, source port number, and destination port number. You can also further improve distribution and performance by customizing the hashing algorithm.

Note

This feature is only supported by some FortiGate models with NP6 processors, including the FortiGate-1200D, 1500D, 1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D. In future releases this feature may be supported on more models.

You can use the following command to enable and customize load balancing for LAG interfaces for NP6 platforms. This command is only available if your FortiGate supports this feature. Enabling this feature and adjusting the hashing algorithm can cause traffic disruptions.

config system npu

set lag-out-port-select {disable | enable}

config sw-eh-hash

set computation {xor4 | xor8 | xor16 | crc16}

set ip-protocol {exclude | include}

set source-ip-upper-16 {exclude | include}

set source-ip-lower-16 {exclude | include}

set destination-ip-upper-16 {exclude | include}

set destination-ip-lower-16 {exclude | include}

set source-port {exclude | include}

set destination-port {exclude | include}

set netmask-length <length>

end

lag-out-port-select enable enhanced load balancing for LAG interfaces. This option is disabled by default.

config sw-eh-hash optionally configure how the ISF load balances sessions among interfaces in LAGs. The default hashing algorithm should work in most cases, but you can use the options of this command to adjust it.

computation {xor4 | xor8 | xor16 | crc16} select the method used by the ISF to calculate the hash used to load balance sessions to LAGs.

  • xor16 use an XOR operator to create a 16-bit hash. This is the default setting.

  • xor8 use an XOR operator to create a 8-bit hash.

  • xor4 use an XOR operator to create a 4-bit hash.

  • crc16 use a CRC-16-CCITT polynomial to create a 16-bit hash.

ip-protocol choose whether to include the IP protocol when calculating the hash. Included by default.

source-ip-upper-16 choose whether to include the upper 16 bits of the source IP address when calculating the hash. Included by default.

source-ip-lower-16 choose whether to include the lower 16 bits of the source IP address when calculating the hash. Included by default.

destination-ip-upper-16 choose whether to include the upper 16 bits of the destination IP address when calculating the hash. Included by default.

destination-ip-lower-16 choose whether to include the lower 16 bits of the destination IP address when calculating the hash. Included by default.

source-port for TCP and UDP traffic, choose whether to include the source port number when calculating the hash. Included by default.

destination-port for TCP and UDP traffic, choose whether to include the destination port number when calculating the hash. Included by default.

netmask-length choose whether to include the network mask length when calculating the hash. Included by default.

Enhanced load balancing for LAG interfaces for NP6 platforms

For some LAG configurations with some network conditions on FortiGates with NP6 processors, you may find that packets are not evenly distributed among all of the interfaces in a LAG, leading to possible reduced performance. On FortiGate models that have an internal switch fabric (ISF) that supports modifying the distribution algorithm, you can configure enhanced hashing to help distribute traffic evenly across links on LAG interfaces. The enhanced hashing algorithm is based on a 5-tuple hash calculated from the IP Protocol, source IP address, destination IP address, source port number, and destination port number. You can also further improve distribution and performance by customizing the hashing algorithm.

Note

This feature is only supported by some FortiGate models with NP6 processors, including the FortiGate-1200D, 1500D, 1500DT, 3000D, 3100D, 3200D, 3700D, and 5001D. In future releases this feature may be supported on more models.

You can use the following command to enable and customize load balancing for LAG interfaces for NP6 platforms. This command is only available if your FortiGate supports this feature. Enabling this feature and adjusting the hashing algorithm can cause traffic disruptions.

config system npu

set lag-out-port-select {disable | enable}

config sw-eh-hash

set computation {xor4 | xor8 | xor16 | crc16}

set ip-protocol {exclude | include}

set source-ip-upper-16 {exclude | include}

set source-ip-lower-16 {exclude | include}

set destination-ip-upper-16 {exclude | include}

set destination-ip-lower-16 {exclude | include}

set source-port {exclude | include}

set destination-port {exclude | include}

set netmask-length <length>

end

lag-out-port-select enable enhanced load balancing for LAG interfaces. This option is disabled by default.

config sw-eh-hash optionally configure how the ISF load balances sessions among interfaces in LAGs. The default hashing algorithm should work in most cases, but you can use the options of this command to adjust it.

computation {xor4 | xor8 | xor16 | crc16} select the method used by the ISF to calculate the hash used to load balance sessions to LAGs.

  • xor16 use an XOR operator to create a 16-bit hash. This is the default setting.

  • xor8 use an XOR operator to create a 8-bit hash.

  • xor4 use an XOR operator to create a 4-bit hash.

  • crc16 use a CRC-16-CCITT polynomial to create a 16-bit hash.

ip-protocol choose whether to include the IP protocol when calculating the hash. Included by default.

source-ip-upper-16 choose whether to include the upper 16 bits of the source IP address when calculating the hash. Included by default.

source-ip-lower-16 choose whether to include the lower 16 bits of the source IP address when calculating the hash. Included by default.

destination-ip-upper-16 choose whether to include the upper 16 bits of the destination IP address when calculating the hash. Included by default.

destination-ip-lower-16 choose whether to include the lower 16 bits of the destination IP address when calculating the hash. Included by default.

source-port for TCP and UDP traffic, choose whether to include the source port number when calculating the hash. Included by default.

destination-port for TCP and UDP traffic, choose whether to include the destination port number when calculating the hash. Included by default.

netmask-length choose whether to include the network mask length when calculating the hash. Included by default.