Description
This article describes the basic difference between NPU vdom link, NPU vdom link with VLAN ID, and VDOM link.
Scope
FortiGate.
Solution
NPU Vdom Link:
NPU VDOM links are inhibited, and once enabling the multi-VDOM mode, the 'npu0_vlink' interface name is visible in FortiGate under interfaces.
Let's say if a hardware has NP4 or NP6, then the interface name is shown like 'npu0_vlink0' and 'npu0_vlink1' in the interface list.
It is possible to use this VDOM link to communicate between two VDOMs.
It is always good to have an ingress and egress interface in the same NPU for better performance in case FortiGate hardware has multiple NPUs (NP6 or NP4).
edit "npu0_vlink0"
set vdom "root"
set type physical
set snmp-index 22
next
edit "npu0_vlink1"
set vdom "root"
set type physical
set snmp-index 23
next
NPU Vdom Link with VLAN:
NPU VDOM link with VLAN tag is like a sub-interface and can be used when it is necessary to connect multiple VDOMs.
For the links to work, the VLAN interfaces must be added to the same NPU VDOM link interface. It must be on the same subnet and must have the same VLAN ID.
Topology to understand.
Interface with VLAN 100 in root VDOM.
edit "VLAN-100"
set vdom "root" <------------------
set ip 100.0.0.1 255.255.255.252
set allowaccess ping https ssh snmp http fgfm
set alias "npu0_vlink0_100"
set device-identification enable
set role lan
set snmp-index 30
set interface "npu0_vlink0" <----- The npu accelerated virtual link port on 'root' VDOM.
set vlanid 100
Interface with VLAN 100 in Vdom-1 VDOM.
edit "Vdom-1_VLAN-100"
set vdom "Vdom-1"<-----
set ip 100.0.0.2 255.255.255.252
set allowaccess ping https ssh snmp http
set alias "npu0_vlink1_100"
set device-identification enable
set role lan
set snmp-index 31
set interface "npu0_vlink1" <----- The npu accelerated virtual link port on 'Vdom-1' VDOM.
set vlanid 100
The traffic from Vdom-1 will be sent to root vdom via link 'npu0_vlink1' -> 'npu0_vlink0'. This kind of connection is required in cases where the internet access is via root VDOM only, and the traffic from Vdom-1 vdom will access the internet via root vdom using this NPU link.
It is possible to create another VLAN interface in the same way, for example, VLAN 300 between the root VDOM and Vdom-3.
Interface with VLAN 300 in VDOM 'root' and VDOM 'vdom-3'.
VDOM root:
VDOM Vdom-3:
The same can be done for the NPU VDOM link between non-root VDOMs, as an example, the NPU VDOM link (vlan 105) is used to connect Vdom-2 and Vdom-4.
VDOM Vdom-2:
VDOM Vdom-4:
VDOM Link:
It is possible to create as many VDOM links as necessary to communicate between any two VDOMs in FortiGate.
VDOM links are similar to the VLAN sub-interface, a virtual interface between two VDOMs, where inter-VDOM routing can be achieved between two VDOMs.
VDOM link does not support NPU acceleration/offloading.
The example below shows one VDOM link(Non-NPU) created between vdom-2 and vdom-4 as per the topology with IP 106.0.0.0/32.
Similar way VDOM link can be created between the root and Vdom-1, Vdom-2, etc.
Related document:
