SR-IOV
FortiGate-VMs installed on Xen platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Xen host software and without using virtual switching.
FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Xen features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).
Setting up SR-IOV on Xen involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.
SR-IOV hardware compatibility
SR-IOV requires that the hardware and operating system on which your Xen host is running has BIOS, physical NIC, and network driver support for SR-IOV.
To enable SR-IOV, your Xen platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers. As well, the host hardware CPUs must support second level address translation (SLAT).
For optimal SR-IOV support, install the most up to date ixgbevf or i40e/i40evf network drivers. Fortinet recommends i40e/i40evf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.
Create an SR-IOV network from XenCenter
The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.
From the XenCenter GUI:
- Under the Networking tab select Add Network.
- On the Select Type page, select SR-IOV Network.
- Give the new network a name.
- On the Network Settings page, select a NIC that supports SR-IOV.
- Select Finish to build the network and select Create SR-IOV anyway when prompted.
- On the Network tab, confirm that the new network was added. The SR-IOV column should indicate that the new network is an SR-IOV network. The column could also indicate whether you must reboot the XenServer host.
- Restart the XenServer host if required.
Assign an SR-IOV network to a FortiGate-VM from XenCenter
The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.
From the XenCenter GUI:
- From the Networking tab, select a FortiGate-VM that you want to assign the SR-IOV network to.
- Shut down the FortiGate-VM.
- Select Add Interface to add a new interface.
- Set Network to the SR-IOV network added above and configure other network settings as required.
- Start the FortiGate-VM.
Create an SR-IOV network from the xe CLI
The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.
From the xe CLI:
- Create the SR-IOV network with the following
network-create
command. This command also returns the UUID of the newly created network:xe network-create name-label=<network-name>
- Determine the PIF UUID of the NIC on which SRIOV Network would be configured.
xe pif-list
- Configure the network as an SR-IOV network. The following command also returns the UUID of the newly created SR-IOV Network:
xe network-sriov-create network-uuid=<network-uuid> pif-uuid=<physical-pif-uuid>
- Enter the following command to determine if the XenServer host needs to be rebooted:
xe network-sriov-param-list uuid=<SR-IOV Network_uuid>
The output should contain a line similar to the following that indicates whether or not the XenServer host needs to be restarted:
requires-reboot ( RO): false
Assign an SR-IOV network to a FortiGate-VM from the xe CLI
The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.
From the xe CLI:
- Determine the vif mac address of the FortiGate-VM by entering the following command:
xe vm-vif-list vm=”<fortigate-vm-instance-name>”
- Assign the SR-IOV Network to the FortiGate-VM:
xe vif-create device=<device-index> mac=<vf-mac-address> network-uuid=<sriov-network> vm-uuid=<vm-uuid>
This command also returns the UUID of the newly created network.