Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff

Created on ‎05-20-2022 06:25 AM Edited on ‎02-05-2024 08:18 AM By Moderator

Article Id 212709

Technical Tip: Difference and understanding between NPU Vdom link, NPU Vdom link with VLAN and Vdom link

Description

 

This article describes the basic difference between NPU vdom link, NPU vdom link with VLAN ID and Vdom link.

 

Scope

 

FortiGate.

 

Solution

 

- NPU Vdom Link.

 

NPU vdom links are in build and the moment you enable multi vdom mode the 'npu0_vlink' interface name visible in FortiGate under interfaces.

Let say if a hardware has npu4 or np6lite the then interface name shows like 'npu0_vlink0' and 'npu0_vlink1' in interface list.

 

It is possible to use this vdom link to communicate between two VDOM´s.

It has always good to have ingress and egress interface in same NPU for better performance in case fortigate hardware have multiple NPU (NP6&np4).

 

  next

    edit "npu0_vlink0"

        set vdom "root"

        set type physical

        set snmp-index 22

    next

    edit "npu0_vlink1"

        set vdom "root"

        set type physical

        set snmp-index 23

 

msolanki_0-1653050806878.png

 

- NPU Vdom Link with VLAN.

 

NPU vdom link with VLAN tag like a sub-interface and can be used when it is necessary to connect multiple VDOM.

For the links to work, the VLAN interfaces must be added to the same NPU VDOM link interface, must be on the same subnet, and must have the same VLAN ID.

 

Topology to understand.

 

msolanki_1-1653050923897.png

 

Interface with VLAN 100 in root VDOM.

 

edit "VLAN-100"

        set vdom "root"  <------------------

        set ip 100.0.0.1 255.255.255.252

        set allowaccess ping https ssh snmp http fgfm

        set alias "npu0_vlink0_100"

        set device-identification enable

        set role lan

        set snmp-index 30

        set interface "npu0_vlink0" <-----

        set vlanid 100

 

 edit "Vdom-1_VLAN-100"

        set vdom "Vdom-1"<-----

        set ip 100.0.0.2 255.255.255.252

        set allowaccess ping https ssh snmp http

        set alias "npu0_vlink1_100"

        set device-identification enable

        set role lan

        set snmp-index 31

        set interface "npu0_vlink1" <-----

        set vlanid 100

 

msolanki_2-1653050968304.pngmsolanki_3-1653050975008.pngmsolanki_4-1653050997753.png

 

Same way can create another VLAN interface for example VLAN 300 between root Vdom and vdom-3.

 

- Interface with VLAN 300 in root & vdom-3 VDOM.

 

In Root Vdom.

 

msolanki_5-1653051091578.png

 

In Vdom-2.

 

msolanki_6-1653051127288.png

msolanki_8-1653051155337.png

 

Similar way can create NPU Vdom link between to non-root Vdom also as example npu Vdom vlan link (vlan 105) between vdom-2 and Vdom-4

 

In Vdom-2.

 

msolanki_9-1653051291794.png

 

In Vdom-4.

 

msolanki_10-1653051323773.png

 

- VDOM Link.

 

It is possible to create Vdom link as many as wanted, in order to communicate between any two VDOM in FortiGate.

Vdom links are similar to Vlan sub-interface, a virtual interface between two VDOMs and it enable the inter-vdom routing between those two vdom.

Vdom link will not support NPU acceleration and & offload.

 

Below example one vdom link(Non-NPU) created between vdom-2 and vdom-4 as per topology with IP 106.0.0.0/32.

 

msolanki_11-1653051383775.pngmsolanki_12-1653051396721.png

 

Similar way Vdom link can create between root & vdom-1, vdom-2 etc.

Labels:
15880
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.