FortiGate 900D fast path architecture
The FortiGate 900D includes two NP6 processors that are not connected by an integrated switch fabric (ISF). Without an ISF, traffic through a FortiGate 900D could experience lower latency than traffic through similar hardware with an ISF. The NP6 processors are connected to network interfaces as follows:
- Eight 1Gb SFP interfaces (port17-port24), eight 1Gb RJ-45 Ethernet interfaces (port25-32) and one 10Gb SFP+ interface (portB) share connections to the first NP6 processor.
- Eight 1Gb SFP interfaces (port1-port8), eight RJ-45 Ethernet interfaces (port9-16) and one 10Gb SFP+ interface (portA) share connections to the second NP6 processor.
As a result of this NP configuration, traffic will only be offloaded if it enters and exits the FortiGate 900D on interfaces connected to the same NP6 processor.
You can use the following get command to display the FortiGate 900D NP6 configuration. The command output shows two NP6s named NP6_0 and NP6_1. The output also shows the interfaces (ports) connected to each NP6. You can also use the diagnose npu np6 port-list
command to display this information.
get hardware npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
------ ---- ------- ----- ----------
np6_0 0
1 port17 1G Yes
1 port18 1G Yes
1 port19 1G Yes
1 port20 1G Yes
1 port21 1G Yes
1 port22 1G Yes
1 port23 1G Yes
1 port24 1G Yes
1 port27 1G Yes
1 port28 1G Yes
1 port25 1G Yes
1 port26 1G Yes
1 port31 1G Yes
1 port32 1G Yes
1 port29 1G Yes
1 port30 1G Yes
2 portB 10G Yes
3
------ ---- ------- ----- ----------
np6_1 0
1 port1 1G Yes
1 port2 1G Yes
1 port3 1G Yes
1 port4 1G Yes
1 port5 1G Yes
1 port6 1G Yes
1 port7 1G Yes
1 port8 1G Yes
1 port11 1G Yes
1 port12 1G Yes
1 port9 1G Yes
1 port10 1G Yes
1 port15 1G Yes
1 port16 1G Yes
1 port13 1G Yes
1 port14 1G Yes
2 portA 10G Yes
3
The FortiGate 900D supports creating LAGs that include interfaces connected to different NP6 processors. Because the FortiGate 900D does not have an internal switch fabric, when you set up a LAG consisting of interfaces connected to different NP6 processors, interfaces connected to each NP6 processor are added to different interface groups in the LAG. One interface group becomes the active group and processes all traffic. The interfaces in the other group become passive. No traffic is processed by interfaces in the passive group unless all of the interfaces in the active group fail or become disconnected.
Since only one NP6 processor can process traffic accepted by the LAG, creating a LAG with multuple NP6 processors does not improve performance in the same way as a in FortiGate with an internal switch fabric. However, other benefits of LAGs, such as redundancy, are supported.
For details, see Increasing NP6 offloading capacity using link aggregation groups (LAGs).