So we have an environment with several VLANs connected to a FortiNet firewall using multiple interfaces trunked back to our L3 Dell PowerConnect 6248P switches.
Currently the FortiNet is setup to do the routing for all networks but I was curious performance benefit we may get by moving routing from the FortiNet to the Dell switches. I created a test by creating IP addresses for a couple of VLANs on our network on the Dell switches and made sure routing was enabled on the switches. I then set my computer up to use the new test gateway for that switch.
I did a simple ping test to get the latency and it came back with an average of about 1.5ms every time I pinged the new IP address for that VLAN on the switch.
If I change back so my gateway is going through the FortiNet so it does the routing and ping the IP address assigned for the VLAN on the FortiNet, I get an average latency of 0.5ms.
Shouldn't routing through the L3 switches have reduced latency over the FortiNet?
Am I missing some obvious crucial piece to getting this working as I had expected?
Best Answer
You musn't confuse the latency of traffic destined to the switch with the latency through the switch.
When you ping a VLAN interface on a switch, you are quite often hitting the CPU/Control plane, which in the case of most enterprise-grade switches, is not a very powerful processor, and treats thing like inbound ICMP with a very low priority.
Re-run your test by rapidly pinging a device (multiple times) on another subnet when the Firewall is the gateway, and again when the switch is the gateway. You will probably find that latency measurements are now virtually indistinguishable.
Where you will get the best performance improvement though is routing throughput - most switches should be able route L3 at line rate (at least the majority should for the majority of their interfaces).
Use a tool like iperf to measure throughput between two hosts on different subnets with both the firewall and the switch in path and see what your results look like.
You didn't mention the model of your firewall, but it may handle 1Gbps of traffic without any issue, so be sure to scale your testing!