Software switch interfaces and NP processors
FortiOS supports creating a software switch by grouping two or more interfaces into a single virtual or software switch interface. All of the interfaces in the software switch act like interfaces in a hardware switch in that they all have the same IP address and can be connected to the same network.
-
You create a software switch interface from the GUI by going to Network > Interfaces, selecting Create New > Interface and setting Type to Software Switch. Among other settings you can set intra-switch-policy to Implicit or Explicit.
-
You create a software switch interface from the CLI using the commands
config system switch-interface. andconfig system interface:
config system switch-interface
edit <switch-interface-name>
set vdom <vdom>
set member <interface1> <interface2> ...
set intra-switch-policy {implicit | explicit}
next
end
config sytem interface
edit <switch-interface-name>
set vdom <vdom>
set type switch
set ip <ip_address>
next
end
The default setting of intra-switch-policy is implicit, which means traffic is allowed to pass between member interfaces. Setting intra-switch-policy to explicit means that you must create firewall policies between member interfaces to allow traffic to pass between them.
All NP processors support offloading software switch traffic if intra-switch-policy is set to explicit and you have created firewall policies that allow traffic between software switch interfaces.
NP processors cannot offload software switch traffic if intra-switch-policy is set to implicit. In this case, the software switch is a bridge group of several interfaces, and the FortiGate CPU maintains the mac-port table for this bridge. As a result of this CPU involvement, traffic processed by a software switch with intra-switch-policy set to implicit is not offloaded to network processors.
For more information about software switch interfaces, see Software switch.