Fortinet black logo

SR-IOV

Copy Link
Copy Doc ID 5913e23d-6957-11ea-9384-00505692583a:212727
Download PDF

SR-IOV

FortiGate-VMs installed on Xen platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Xen host software and without using virtual switching.

FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Xen features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).

Setting up SR-IOV on Xen involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.

SR-IOV hardware compatibility

SR-IOV requires that the hardware and operating system on which your Xen host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your Xen platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers. As well, the host hardware CPUs must support second level address translation (SLAT).

For optimal SR-IOV support, install the most up to date ixgbevf or i40e/i40evf network drivers. Fortinet recommends i40e/i40evf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.

Create an SR-IOV network from XenCenter

The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.

From the XenCenter GUI:

  1. Under the Networking tab select Add Network.
  2. On the Select Type page, select SR-IOV Network.
  3. Give the new network a name.
  4. On the Network Settings page, select a NIC that supports SR-IOV.
  5. Select Finish to build the network and select Create SR-IOV anyway when prompted.
  6. On the Network tab, confirm that the new network was added. The SR-IOV column should indicate that the new network is an SR-IOV network. The column could also indicate whether you must reboot the XenServer host.
  7. Restart the XenServer host if required.

Assign an SR-IOV network to a FortiGate-VM from XenCenter

The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.

From the XenCenter GUI:

  1. From the Networking tab, select a FortiGate-VM that you want to assign the SR-IOV network to.
  2. Shut down the FortiGate-VM.
  3. Select Add Interface to add a new interface.
  4. Set Network to the SR-IOV network added above and configure other network settings as required.
  5. Start the FortiGate-VM.

Create an SR-IOV network from the xe CLI

The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.

From the xe CLI:

  1. Create the SR-IOV network with the following network-create command. This command also returns the UUID of the newly created network:

    xe network-create name-label=<network-name>

  2. Determine the PIF UUID of the NIC on which SRIOV Network would be configured.

    xe pif-list

  3. Configure the network as an SR-IOV network. The following command also returns the UUID of the newly created SR-IOV Network:

    xe network-sriov-create network-uuid=<network-uuid> pif-uuid=<physical-pif-uuid>

  4. Enter the following command to determine if the XenServer host needs to be rebooted:

    xe network-sriov-param-list uuid=<SR-IOV Network_uuid>

    The output should contain a line similar to the following that indicates whether or not the XenServer host needs to be restarted:

    requires-reboot ( RO): false

Assign an SR-IOV network to a FortiGate-VM from the xe CLI

The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.

From the xe CLI:

  1. Determine the vif mac address of the FortiGate-VM by entering the following command:

    xe vm-vif-list vm=”<fortigate-vm-instance-name>”

  2. Assign the SR-IOV Network to the FortiGate-VM:

    xe vif-create device=<device-index> mac=<vf-mac-address> network-uuid=<sriov-network> vm-uuid=<vm-uuid>

    This command also returns the UUID of the newly created network.

SR-IOV

FortiGate-VMs installed on Xen platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing Xen host software and without using virtual switching.

FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use Xen features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).

Setting up SR-IOV on Xen involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.

SR-IOV hardware compatibility

SR-IOV requires that the hardware and operating system on which your Xen host is running has BIOS, physical NIC, and network driver support for SR-IOV.

To enable SR-IOV, your Xen platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers. As well, the host hardware CPUs must support second level address translation (SLAT).

For optimal SR-IOV support, install the most up to date ixgbevf or i40e/i40evf network drivers. Fortinet recommends i40e/i40evf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.

Create an SR-IOV network from XenCenter

The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.

From the XenCenter GUI:

  1. Under the Networking tab select Add Network.
  2. On the Select Type page, select SR-IOV Network.
  3. Give the new network a name.
  4. On the Network Settings page, select a NIC that supports SR-IOV.
  5. Select Finish to build the network and select Create SR-IOV anyway when prompted.
  6. On the Network tab, confirm that the new network was added. The SR-IOV column should indicate that the new network is an SR-IOV network. The column could also indicate whether you must reboot the XenServer host.
  7. Restart the XenServer host if required.

Assign an SR-IOV network to a FortiGate-VM from XenCenter

The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.

From the XenCenter GUI:

  1. From the Networking tab, select a FortiGate-VM that you want to assign the SR-IOV network to.
  2. Shut down the FortiGate-VM.
  3. Select Add Interface to add a new interface.
  4. Set Network to the SR-IOV network added above and configure other network settings as required.
  5. Start the FortiGate-VM.

Create an SR-IOV network from the xe CLI

The following procedure may require rebooting the XenServer host, so it should only be performed during a maintenance window.

From the xe CLI:

  1. Create the SR-IOV network with the following network-create command. This command also returns the UUID of the newly created network:

    xe network-create name-label=<network-name>

  2. Determine the PIF UUID of the NIC on which SRIOV Network would be configured.

    xe pif-list

  3. Configure the network as an SR-IOV network. The following command also returns the UUID of the newly created SR-IOV Network:

    xe network-sriov-create network-uuid=<network-uuid> pif-uuid=<physical-pif-uuid>

  4. Enter the following command to determine if the XenServer host needs to be rebooted:

    xe network-sriov-param-list uuid=<SR-IOV Network_uuid>

    The output should contain a line similar to the following that indicates whether or not the XenServer host needs to be restarted:

    requires-reboot ( RO): false

Assign an SR-IOV network to a FortiGate-VM from the xe CLI

The following procedure requires shutting down and restarting the FortiGate-VM, so it should only be performed during a maintenance window.

From the xe CLI:

  1. Determine the vif mac address of the FortiGate-VM by entering the following command:

    xe vm-vif-list vm=”<fortigate-vm-instance-name>”

  2. Assign the SR-IOV Network to the FortiGate-VM:

    xe vif-create device=<device-index> mac=<vf-mac-address> network-uuid=<sriov-network> vm-uuid=<vm-uuid>

    This command also returns the UUID of the newly created network.