| Solution | The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows configuring multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface. FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Refer to the following document for more information on the EMAC VLAN functionality of FortiGate: Enhanced MAC VLANs The following points should be considered before configuring EMAC VLAN in the environment: - NP6 only partially supports EMAC VLAN offloading. For example, traffic between EMAC VLANS (where the emac-vlan is not assigned a VLAN ID) is not offloaded.
- NP6 offload is disabled for IPsec over pure EMAC VLANs (where the emac-vlan is not assigned a VLAN ID), see notes.
For cases that have issues with EMAC VLAN when offloading is enabled, apply the following workaround/fix for the issue: It is possible to disable NPU offloading on the policy and/or IPSec phase 1 using an EMAC VLAN interface: config firewall policy edit <id> set auto-asic-offload disable end config vpn ipsec phase1-interface edit <tunnel_name> set npu-offload disable end NP6xlite behaves the same as NP6, so EMAC VLAN offloading to NPU is only partially supported by the ASICs. The same workaround/fix will work, as mentioned for NP6.
Note: - Due to some restrictions on offloading EMAC VLAN traffic, newer FortiOS releases (starting v6.2.8, v6.4.9, v7.0.2) will disable the EMAC VLAN traffic offloading to NP6 or NP6xlite (SoC4) for scenarios where it is not supported, which is the case of IPSec.
- Starting with v7.6.4, EMAC offloading support has been introduced for SOC4 platforms. This enhancement prevents MAC address flapping, ensuring that the same MAC address is retained before and after the offload process. The problem is addressed under issue ID 114861. Resolved issues 7.6.4
- Consider using the NP7 platform if offloading traffic over the EMAC VLAN interface is of priority, as NP7 processors are better with EMAC offload.
-
For NP7 and NP7Lite platforms, Site-to-Site IPsec traffic can be offloaded when the tunnel interface is attached to an EMAC-VLAN interface that is attached to an IEEE 802.1Q VLAN interface in a basic topology. -
In more advanced deployments, such as environments using SD-WAN, VRRP, or VRFs, functional limitations may affect hardware offloading and the Sessions passing through two EMAC-VLAN interfaces are not supported for NP7/NP7Lite offload. Related articles:
Technical Tip: NP7/NP7Lite offloading for site-to-site VPN traffic - tunnel interface attached to EMAC-VLAN interface that is attached to IEEE 802.1Q VLAN Interface
NP7 fastpath aNP7 fastpath and EMAC VLANs | FortiOS Hardware Acceleration Manual
|
