Fortinet black logo

Hardware Acceleration

Home FortiGate / FortiOS 6.4.15 Hardware Acceleration
6.4.15
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.4.5
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
6.2.7
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
5.6.0

Software switch interfaces and NP processors

Software switch interfaces and NP processors

FortiOS supports creating a software switch by grouping two or more interfaces into a single virtual or software switch interface. All of the interfaces in the software switch act like interfaces in a hardware switch in that they all have the same IP address and can be connected to the same network.

  • You create a software switch interface from the GUI by going to Network > Interfaces, selecting Create New > Interface and setting Type to Software Switch. Among other settings you can set Inter-Switch policy to Implicit or Explicit.

  • You create a software switch interface from the CLI using the commands config system switch-interface. and config system interface:

config system switch-interface

edit <switch-interface-name>

set vdom <vdom>

set member <interface1> <interface2> ...

set inter-switch-policy {implicit | explicit}

next

end

config sytem interface

edit <switch-interface-name>

set vdom <vdom>

set type switch

set ip <ip_address>

next

end

The default setting of inter-switch-policy is implicit, which means traffic is allowed to pass between member interfaces. Setting inter-switch-policy to explicit means that you must create firewall policies between member interfaces to allow traffic to pass between them.

All NP processors support offloading software switch traffic if inter-switch-policy is set to explicit, device-identification is disabled for the interfaces added to the software switch, and you have created firewall policies that allow traffic between software switch interfaces.

NP processors cannot offload software switch traffic if inter-switch-policy is set to implicit. In this case, the software switch is a bridge group of several interfaces, and the FortiGate CPU maintains the mac-port table for this bridge. As a result of this CPU involvement, traffic processed by a software switch with inter-switch-policy set to implicit is not offloaded to network processors.

For more information about software switch interfaces, see Software switch.

Previous
Next

Software switch interfaces and NP processors

FortiOS supports creating a software switch by grouping two or more interfaces into a single virtual or software switch interface. All of the interfaces in the software switch act like interfaces in a hardware switch in that they all have the same IP address and can be connected to the same network.

  • You create a software switch interface from the GUI by going to Network > Interfaces, selecting Create New > Interface and setting Type to Software Switch. Among other settings you can set Inter-Switch policy to Implicit or Explicit.

  • You create a software switch interface from the CLI using the commands config system switch-interface. and config system interface:

config system switch-interface

edit <switch-interface-name>

set vdom <vdom>

set member <interface1> <interface2> ...

set inter-switch-policy {implicit | explicit}

next

end

config sytem interface

edit <switch-interface-name>

set vdom <vdom>

set type switch

set ip <ip_address>

next

end

The default setting of inter-switch-policy is implicit, which means traffic is allowed to pass between member interfaces. Setting inter-switch-policy to explicit means that you must create firewall policies between member interfaces to allow traffic to pass between them.

All NP processors support offloading software switch traffic if inter-switch-policy is set to explicit, device-identification is disabled for the interfaces added to the software switch, and you have created firewall policies that allow traffic between software switch interfaces.

NP processors cannot offload software switch traffic if inter-switch-policy is set to implicit. In this case, the software switch is a bridge group of several interfaces, and the FortiGate CPU maintains the mac-port table for this bridge. As a result of this CPU involvement, traffic processed by a software switch with inter-switch-policy set to implicit is not offloaded to network processors.

For more information about software switch interfaces, see Software switch.

Previous
Next