Hi all,
I have a FortiGate 501E unit connected to an external switch by a LAG. This aggregated link is supposed to carry multiple VLANs.
My idea is this: rather than defining VLAN interfaces directly upon the LAG interface, I'm thinking to define a "software switch", join just a single interface to it (this LAG) and then define VLAN interfaces upon the "software switch".
The benefit is flexibility and ease of migrations: if in the future I'll need to move VLANs traffic to another LAG or physical port leading to some new equipment, then instead of redefining all VLAN interfaces upon the new interface, I'll just add it to the same "software switch", will gradually move traffic of all VLANs to flow over it, and then remove the old LAG from the "software switch".
But normally the "software switch" is going to have just a single member - this LAG.It won't really switch any Ethernet frames. All the FortiGate will do is routing packets between the VLAN interfaces.
The question is: will usage of a "software switch" in this specific case hurt performance? Will NPUs still be utilized?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you use software switch, traffic will be processed by CPU. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setup-comparison-between-FortiGate-Hardwar...
Regards,
Created on 03-13-2024 10:48 AM Edited on 03-13-2024 10:49 AM
Thank you, @hbac,I've read this.
But the article, as I understand, talks about really switching frames between member interfaces joined to the same "software switch". My case is a bit different: an IP packet arrives to the FortiGate over the LAG with VLAN tag X, then gets checked by firewall rules and routed to another subnet, and then leaves via the same LAG with VLAN tag Y.
Will processing of traffic be different in these two cases?
a.) IP interfaces for VLANs X & Y are defined directly over the LAG;
b.) IP interfaces for VLANs X & Y are defined over a "software switch" interface, which has the LAG joined as a member?
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.