Software switch interfaces and NP processors
FortiOS supports creating a software switch by grouping two or more interfaces into a single virtual or software switch interface. All of the interfaces in the software switch act like interfaces in a hardware switch in that they all have the same IP address and can be connected to the same network.
-
You create a software switch interface from the GUI by going to Network > Interfaces, selecting Create New > Interface and setting Type to Software Switch. Among other settings you can set Inter-Switch policy to Implicit or Explicit.
-
You create a software switch interface from the CLI using the commands
config system switch-interface
. andconfig system interface
:
config system switch-interface
edit <switch-interface-name>
set vdom <vdom>
set member <interface1> <interface2> ...
set inter-switch-policy {implicit | explicit}
next
end
config sytem interface
edit <switch-interface-name>
set vdom <vdom>
set type switch
set ip <ip_address>
next
end
The default setting of inter-switch-policy
is implicit
, which means traffic is allowed to pass between member interfaces. Setting inter-switch-policy
to explicit
means that you must create firewall policies between member interfaces to allow traffic to pass between them.
All NP processors support offloading software switch traffic if inter-switch-policy
is set to explicit
, device-identification
is disabled for the interfaces added to the software switch, and you have created firewall policies that allow traffic between software switch interfaces.
NP processors cannot offload software switch traffic if inter-switch-policy
is set to implicit
. In this case, the software switch is a bridge group of several interfaces, and the FortiGate CPU maintains the mac-port table for this bridge. As a result of this CPU involvement, traffic processed by a software switch with inter-switch-policy
set to implicit
is not offloaded to network processors.
For more information about software switch interfaces, see Software switch.