Description
This article explains limitations of the NP processor.
Certain interfaces are unable to support NP offloading.
These limits apply to virtual/software interfaces that are presented here below.
Scope
FortiGate.
Solution
Loopback interface.
A loopback interface is a logical interface that is always up (no physical link dependency).
It is widely used to form a BGP setup with neighbors and is used as an IPsec VPN tunnel interface.
Since the interface is a software interface, it will not permit offloading to network processors.
Example of Loopback interface.
config system interface
edit "Lo1"
set vdom "root"
set ip 192.168.1.33 255.255.255.255
set allowaccess ping
set type loopback
set snmp-index 50
next
end
Note:
For devices with NP7, running on FortiOS 7.0.6 and 7.2.1 and above, hardware acceleration is supported on Loopback interfaces.
Refer to the below KB article:
Technical Tip: Information about IPsec on loopback interface and hardware acceleration
Software switch.
Software switches are supported in certain models of FortiGate.
All of the interfaces in this virtual switch act like interfaces in a hardware switch.
In that, it has the same IP address and can be connected to the same network.
The FortiGate CPU is used to maintain the mac-port table, hence traffic would not be handled by network processors.
Example of a software switch interface.
config system switch-interface
edit <interface>
set vdom <vdom>
set member <interface_list>
set type switch
next
end
PPPoE Interface.
PPPoE is commonly used to connect to the provider edge.
It is handled by a PPP software process and connections are terminated in virtual interfaces where traffic is not able to be handled by hardware acceleration.
Example of PPPoE interface.
config system interface
edit "wan1"
set vdom "root"
set mode pppoe
set allowaccess ping
set type physical
set scan-botnet-connections block
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
end
set username "user@abc.com"
set dns-server-override disable
next
IPsec VPN over EMAC-VLAN.
FortiGate 6.4.9 or above, IPsec VPN over EMAC-VLAN interface does not support NPU Offload due to kernel and NPU limitations.
Example of IPsec VPN over EMAC-VLAN interface.
config system interface
edit "VLAN200"
set vdom "root"
set interface "wan2"
set vlanid 200
next
edit "AS-EMAC"
set vdom "AS"
set ip 10.0.200.99 255.255.255.0
set allowaccess ping
set type emac-vlan
set interface "VLAN200"
next
end
config vdom
edit AS
config vpn ipsec phase1-interface
edit "AS-VPN"
set interface "AS-EMAC" <- The IPSec VPN is bound to the EMAC-VLAN Interface.
set peertype any
set net-device disable
set proposal aes128-sha256
set remote-gw 10.0.58.158
set psksecret *******
next
VNE tunnel sessions are one of the exceptions where the session can be offloaded only by the SOC4 (NP6XLITE) platform and not with SOC3.
Use physical or VLAN interfaces that bind to fixed ports for traffic offloading to NP (network processors).
The VDOM link will not support NPU acceleration and & offload.
Related link concerning NP6 and NP6 lite acceleration:
NP6 and NP6lite acceleration
Technical Tip: Difference and understanding between NPU Vdom link, NPU Vdom link with VLAN and Vdom ...
