FortiGate 900G and 901G fast path architecture
The FortiGate 900G and 901G models feature the following front panel interfaces:
- Two 10/100/1000BASE-T RJ45 (HA and MGMT, not connected to the NP7 processor).
- Sixteen 10/100/1000BASE-T RJ45 (1 to 16).
- Eight 1 GigE SFP (17 to 24).
- Four 10/1 GigE SFP+/SFP (X1 to X4) (X1 and X2 are FortiLink interfaces).
- Four 10/25 GigE SFP+/SFP28 (X5 to X8) ultra low latency (ULL), all ULL interfaces operate at the same speed. ULL interfaces bypass the integrated switch fabric (ISF).
The FortiGate 900G and 901G each include one NP7 processor. Front panel data interfaces 1 to 24 and X1 to X4 and one of the NP7 processor interfaces connect to the integrated switch fabric (ISF). All data traffic passes from these data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two of these data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.
Front panel data interfaces X5 to X8 are connected directly to the other NP7 processor interfaces instead of the ISF. Since the ISF introduces latency, interfaces X5 to X8 are ultra low latency interfaces (ULL), and NP7 traffic entering and exiting the FortiGate through ULL interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must enter and exit the FortiGate through the X5 to X8 interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.
The FortiGate-900G and 901G do not support configuring NPU port mapping, because only one of the NP7 interfaces is connected to the ISF. |
The MGMT interface is not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).
The HA interface is also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.
The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.
You can use the following command to display the FortiGate 900G or 901G NP7 configuration.
diagnose npu np7 port-list Front Panel Port: Name Max_speed(Mbps) Dflt_speed(Mbps) NP_group Switch_id SW_port_id SW_port_name -------- --------------- --------------- --------------- --------- ---------- ------------ port1 1000 1000 n/a 0 1 port2 1000 1000 n/a 0 0 port3 1000 1000 n/a 0 3 port4 1000 1000 n/a 0 2 port5 1000 1000 n/a 0 5 port6 1000 1000 n/a 0 4 port7 1000 1000 n/a 0 7 port8 1000 1000 n/a 0 6 port9 1000 1000 n/a 0 9 port10 1000 1000 n/a 0 8 port11 1000 1000 n/a 0 11 port12 1000 1000 n/a 0 10 port13 1000 1000 n/a 0 13 port14 1000 1000 n/a 0 12 port15 1000 1000 n/a 0 15 port16 1000 1000 n/a 0 14 port17 1000 1000 n/a 0 17 port18 1000 1000 n/a 0 16 port19 1000 1000 n/a 0 19 port20 1000 1000 n/a 0 18 port21 1000 1000 n/a 0 25 port22 1000 1000 n/a 0 24 port23 1000 1000 n/a 0 27 port24 1000 1000 n/a 0 26 x1 10000 10000 n/a 0 40 x2 10000 10000 n/a 0 32 x3 10000 10000 n/a 0 49 x4 10000 10000 n/a 0 48 x5 25000 10000 n/a n/a n/a n/a x6 25000 10000 n/a n/a n/a n/a x7 25000 10000 n/a n/a n/a n/a x8 25000 10000 n/a n/a n/a n/a -------- --------------- --------------- --------------- --------- ---------- ------------ NP Port: Name Switch_id SW_port_id SW_port_name ------ --------- ---------- ------------ np0_0 0 50 ------ --------- ---------- ------------ * Max_speed: Maximum speed, Dflt_speed: Default speed * SW_port_id: Switch port ID, SW_port_name: Switch port name
The command output also shows the maximum speeds of each interface. Also, that command output shows that the x5 to x8 interfaces are not connected to the internal switch fabric.
The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.
Changing the speed of the X5 to X8 ULL interfaces
By default, the FortiGate-900G and 901G front panel ULL data interfaces X5 to X8 operate as 10G SFP+ interfaces. You can use the following command to configure them to operate as 25G SPF28 interfaces:
config system npu
set ull-port-mode 25G
end
Entering this command restarts the FortiGate, so the speed of the ULL interfaces should be changed during a maintenance window. This command changes the speeds of all of the ULL interfaces. All of the ULL interfaces operate at the same speed.
You can use the following command to change the ULL interfaces back to the default setting as 10G SFP+ interfaces:
config system npu
set ull-port-mode 10G
end
Entering this command also restarts the FortiGate.