Description
This article explains the restrictions that some FortiGate models with multiple NP6 (Network Processor 6) have with regard to the configuration of Link Aggregation Groups (LAG).
LAGs are used to increase the NP6 offloading capacity in FortiGate devices with multiple NP6. However, the models listed above have some restriction in configuring the LAG; for example configuring portA and portB of 1000D into a single LAG is not permitted.
Scope
FortiGate-200E/FortiGate 201E (NP6Lite)
FortiGate-900D
FortiGate-1000D
FortiGate-2000E
FortiGate-2500E
Solution
If a FortiGate has two or more NP6 processors connected by an Integrated Switch Fabric (ISF), LAGs can be used to increase offloading by sharing the traffic load across multiple NP6 processors. This can be achieved by adding physical interfaces connected to different NP6 processors to the same LAG.
Adding a second NP6 processor to a LAG increases the offloading capacity of the LAG. Adding a third further further does so. However, the actual increase in offloading capacity may not actually be doubled by adding a second NP6 or tripled by adding a third. Traffic and load conditions and other factors can limit the actual offloading result.
The increase in offloading capacity offered by LAGs and multiple NP6s is supported by the ISF that allows multiple NP6 processors to share session information. Most FortiGate units with multiple NP6 processors also have an ISF.
FortiGate-200E/201E, 900D, 1000D, 2000E and 2500E do not have an ISF. Therefore, it isn't possible to create a LAG that includes interfaces connected to both NP6. For example, it is not possible to create a LAG that includes portA and portB of FortiGate 900D as they belong to different NP6s. To find out which ports belong to which NP6, the following command can be used:
Below is a sample output from FortiGate-900D.
As this model does not include a switch fabric, LAGs cannot be created between interfaces connected to different NP6Lites.
Traffic will only be offloaded if it enters and exits the FortiGate.
This article explains the restrictions that some FortiGate models with multiple NP6 (Network Processor 6) have with regard to the configuration of Link Aggregation Groups (LAG).
LAGs are used to increase the NP6 offloading capacity in FortiGate devices with multiple NP6. However, the models listed above have some restriction in configuring the LAG; for example configuring portA and portB of 1000D into a single LAG is not permitted.
Scope
FortiGate-200E/FortiGate 201E (NP6Lite)
FortiGate-900D
FortiGate-1000D
FortiGate-2000E
FortiGate-2500E
Solution
If a FortiGate has two or more NP6 processors connected by an Integrated Switch Fabric (ISF), LAGs can be used to increase offloading by sharing the traffic load across multiple NP6 processors. This can be achieved by adding physical interfaces connected to different NP6 processors to the same LAG.
Adding a second NP6 processor to a LAG increases the offloading capacity of the LAG. Adding a third further further does so. However, the actual increase in offloading capacity may not actually be doubled by adding a second NP6 or tripled by adding a third. Traffic and load conditions and other factors can limit the actual offloading result.
The increase in offloading capacity offered by LAGs and multiple NP6s is supported by the ISF that allows multiple NP6 processors to share session information. Most FortiGate units with multiple NP6 processors also have an ISF.
FortiGate-200E/201E, 900D, 1000D, 2000E and 2500E do not have an ISF. Therefore, it isn't possible to create a LAG that includes interfaces connected to both NP6. For example, it is not possible to create a LAG that includes portA and portB of FortiGate 900D as they belong to different NP6s. To find out which ports belong to which NP6, the following command can be used:
Below is a sample output from FortiGate-900D.
FGT900D # diagnose npu np6 port-listThe below diagram shows the connections between the two NP6Lite processors on FortiGate-200E.
Chip XAUI Ports QSGMII Max Cross-chip
Speed offloading
------ ---- ------- ------ ----- ----------
np6_0 NA port17 15 1G Yes
NA port18 14 1G Yes
NA port19 13 1G Yes
NA port20 12 1G Yes
NA port21 11 1G Yes
NA port22 10 1G Yes
NA port23 9 1G Yes
NA port24 8 1G Yes
NA port27 7 1G Yes
NA port28 6 1G Yes
NA port25 5 1G Yes
NA port26 4 1G Yes
NA port31 3 1G Yes
NA port32 2 1G Yes
NA port29 1 1G Yes
NA port30 0 1G Yes
2 portB NA 10G Yes
------ ---- ------- ------ ----- ----------
np6_1 NA port1 15 1G Yes
NA port2 14 1G Yes
NA port3 13 1G Yes
NA port4 12 1G Yes
NA port5 11 1G Yes
NA port6 10 1G Yes
NA port7 9 1G Yes
NA port8 8 1G Yes
NA port11 7 1G Yes
NA port12 6 1G Yes
NA port9 5 1G Yes
NA port10 4 1G Yes
NA port15 3 1G Yes
NA port16 2 1G Yes
NA port13 1 1G Yes
NA port14 0 1G Yes
2 portA NA 10G Yes
------ ---- ------- ------ ----- ----------
As this model does not include a switch fabric, LAGs cannot be created between interfaces connected to different NP6Lites.
Traffic will only be offloaded if it enters and exits the FortiGate.
There is no such restriction for other FortiGate models such as 1200D or 1500D, as all the ports are connected to an ISF.
Related documents.
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/189021/logging-traffic-with-fortigate-cl...
https://docs.fortinet.com/document/fortigate/6.4.0/hardware-acceleration/854455/fortigate-200e-and-2...
https://docs.fortinet.com/document/fortigate/6.2.0/hardware-acceleration/824254/np-hardware-accelera...
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/189021/logging-traffic-with-fortigate-cl...
https://docs.fortinet.com/document/fortigate/6.4.0/hardware-acceleration/854455/fortigate-200e-and-2...
https://docs.fortinet.com/document/fortigate/6.2.0/hardware-acceleration/824254/np-hardware-accelera...
Related Articles
