Fortinet Document Library

Version:


Table of Contents

FortiGate-VM on Xen

Resources

Upgrade Path Tool
  • Select version:
  • 6.0
6.0.0
Download PDF
Copy Link

SR-IOV

FortiGate VMs installed on XenServer platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate VMs with direct access to hardware devices. Enabling SR-IOV means that one PCIe device (CPU or network card) can function for a FortiGate-VM as multiple separate physical devices (CPUs or network devices). SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate VM and a network card without passing through the XenServer kernel and without using virtual switching.

FortiGate VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency. FortiGate VMs do not use XenServer features that are incompatible with SR-IOV so you can enable SR-IOV without negatively affecting your FortiGate-VM.

SR-IOV hardware compatibility

SR-IOV requires that the hardware on which your XenServer host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your XenServer platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers.

For optimal SR-IOV support, install the most up to date ixgbevf or i40evf network drivers.

XenServer SR-IOV limitations

Performing live migration, suspend, and checkpoint is not supported for VMs using SR-IOV.

Create an SR-IOV network from XenCenter

The following procedure may require rebooting the XenServer host so should only be performed during a quiet time or maintenance window when the network is not busy.

From the XenCenter GUI:

  1. Under the Networking tab select Add Network.
  2. On the Select Type page, select SR-IOV Network.
  3. Give the new network a name.
  4. On the Network Settings page, select a NIC that supports SR-IOV.
  5. Select Finish to build the network and select Create SR-IOV anyway when prompted.
  6. On the Network tab, confirm that the new network was added. The SR-IOV column should indicate that the new network is an SR-IOV network. The column could also indicate whether you need to reboot the XenServer host.
  7. Restart the XenServer host if required.

Assign an SR-IOV network to a FortiGate-VM from XenCenter

The following procedure requires shutting down and restarting the FortiGate-VM so should only be performed during a quiet time or maintenance window when the network is not busy.

From the XenCenter GUI:

  1. From the Networking tab, select a FortiGate-VM that you want to assign the SR-IOV network to.
  2. Shut down the FortiGate-VM.
  3. Select Add Interface to add a new interface.
  4. Set Network to the SR-IOV network added above and configure other network settings as required.
  5. Start the FortiGate-VM.

Create an SR-IOV network from the xe CLI

The following procedure may require rebooting the XenServer host so should only be performed during a quiet time or maintenance window when the network is not busy.

From the xe CLI:

  1. Create the SR-IOV network with the following network-create command. This command also returns the UUID of the newly created network:
    xe network-create name-label=<network-name>
  2. Determine the PIF UUID of the NIC on which SRIOV Network would be configured.
    xe pif-list
  3. Configure the network as an SR-IOV network. The following command also returns the UUID of the newly created SR-IOV Network:
    xe network-sriov-create network-uuid=<network-uuid> pif-uuid=<physical-pif-uuid>
  4. Enter the following command to determine if the XenServer host needs to be rebooted:
    xe network-sriov-param-list uuid=<SR-IOV Network_uuid>
    The output should contain a line similar to the following that indicates whether or not the XenServer host needs to be restarted
    requires-reboot ( RO): false

Assign an SR-IOV network to a FortiGate-VM from the xe CLI

This procedure requires shutting down and restarting the FortiGate-VM so should only be performed during a quiet time or maintenance window when the network is not busy.

From the xe CLI:

  1. Determine the vif mac address of the FortiGate-VM by entering the following command:
    xe vm-vif-list vm=”<fortigate-vm-instance-name>”
  2. Assign the SR-IOV Network to the FortiGate-VM. This command also returns the UUID of the newly created network.
    xe vif-create device=<device-index> mac=<vf-mac-address> network-uuid=<sriov-network> vm-uuid=<vm-uuid>

 

 

 

Resources

SR-IOV

FortiGate VMs installed on XenServer platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate VMs with direct access to hardware devices. Enabling SR-IOV means that one PCIe device (CPU or network card) can function for a FortiGate-VM as multiple separate physical devices (CPUs or network devices). SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate VM and a network card without passing through the XenServer kernel and without using virtual switching.

FortiGate VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency. FortiGate VMs do not use XenServer features that are incompatible with SR-IOV so you can enable SR-IOV without negatively affecting your FortiGate-VM.

SR-IOV hardware compatibility

SR-IOV requires that the hardware on which your XenServer host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your XenServer platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers.

For optimal SR-IOV support, install the most up to date ixgbevf or i40evf network drivers.

XenServer SR-IOV limitations

Performing live migration, suspend, and checkpoint is not supported for VMs using SR-IOV.

Create an SR-IOV network from XenCenter

The following procedure may require rebooting the XenServer host so should only be performed during a quiet time or maintenance window when the network is not busy.

From the XenCenter GUI:

  1. Under the Networking tab select Add Network.
  2. On the Select Type page, select SR-IOV Network.
  3. Give the new network a name.
  4. On the Network Settings page, select a NIC that supports SR-IOV.
  5. Select Finish to build the network and select Create SR-IOV anyway when prompted.
  6. On the Network tab, confirm that the new network was added. The SR-IOV column should indicate that the new network is an SR-IOV network. The column could also indicate whether you need to reboot the XenServer host.
  7. Restart the XenServer host if required.

Assign an SR-IOV network to a FortiGate-VM from XenCenter

The following procedure requires shutting down and restarting the FortiGate-VM so should only be performed during a quiet time or maintenance window when the network is not busy.

From the XenCenter GUI:

  1. From the Networking tab, select a FortiGate-VM that you want to assign the SR-IOV network to.
  2. Shut down the FortiGate-VM.
  3. Select Add Interface to add a new interface.
  4. Set Network to the SR-IOV network added above and configure other network settings as required.
  5. Start the FortiGate-VM.

Create an SR-IOV network from the xe CLI

The following procedure may require rebooting the XenServer host so should only be performed during a quiet time or maintenance window when the network is not busy.

From the xe CLI:

  1. Create the SR-IOV network with the following network-create command. This command also returns the UUID of the newly created network:
    xe network-create name-label=<network-name>
  2. Determine the PIF UUID of the NIC on which SRIOV Network would be configured.
    xe pif-list
  3. Configure the network as an SR-IOV network. The following command also returns the UUID of the newly created SR-IOV Network:
    xe network-sriov-create network-uuid=<network-uuid> pif-uuid=<physical-pif-uuid>
  4. Enter the following command to determine if the XenServer host needs to be rebooted:
    xe network-sriov-param-list uuid=<SR-IOV Network_uuid>
    The output should contain a line similar to the following that indicates whether or not the XenServer host needs to be restarted
    requires-reboot ( RO): false

Assign an SR-IOV network to a FortiGate-VM from the xe CLI

This procedure requires shutting down and restarting the FortiGate-VM so should only be performed during a quiet time or maintenance window when the network is not busy.

From the xe CLI:

  1. Determine the vif mac address of the FortiGate-VM by entering the following command:
    xe vm-vif-list vm=”<fortigate-vm-instance-name>”
  2. Assign the SR-IOV Network to the FortiGate-VM. This command also returns the UUID of the newly created network.
    xe vif-create device=<device-index> mac=<vf-mac-address> network-uuid=<sriov-network> vm-uuid=<vm-uuid>