Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Create NPU Accelearted VDOM Link

hi,

i'm trying to configure a VDOM link between 'root' and a separate VDOM 'internet' which provides public/internet access. i tried to configure first a plain VDOM link but when i try to edit, i can't add it to an 'npu_vlink' interface.

but when i tried to create the reverse, i.e. i created npu0_vlink0 for 'root' with a /30 IP address, and npu0_vlunk1 for 'internet', i cant' add the inter VDOM link. see attached photos.

my questions:

1. can FG 40F support NPU enabled VDOM link?

2. do i just create a "plain" VDOM link without NPU acceleration?

3. what are the correct step/sequence to create VDOM link with NPU acceleration in a 40F?

 

fg-1.pngfg-2.png

1 Solution
Toshi_Esumi

NPU is internal, no direct connection to physical ports. Therefore all VLANs you put on the npu-vlink are internal. I would avoid overlapping them with other VLANs on those physical ports though. I don't know what would happen if you use the same VLAN ID on both npu-vlink and other ports.

If you meant "customer-A" is the 3rd VDOM in addition to root and internet. Yes, that's how you should use those VLANs on npu-vlink.

Yes. npu-vlink has only two interfaces. There might be mulitple npus like npu0, npu1, and so on, depending on models. 40F has only one as you know already.  You can use those two interfaces to bridge any pairs of VDOMs, like root-internet, say VLAN 100, root-Customer-A, VLAN 200, Customer-A-root, VLAN 300 (only three pairs are needed among 3 VDOMs). 40F supports only up to 10 VDOMs so the max you might need to have would be 9+8+7+6+5+4+3+2+1=45 VLANs.  I would assume the NPU on 40F is capable to cover way more than that.

 

Toshi

View solution in original post

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

npu0-vlink0 and 1 both live in root vdom, which you can't move. Therefore, you can't assign IPs from the same subnet to two different interfaces in the same vdom.

To create a link between two different VDOMs through the NPU, you need to create a pair of VLAN interfaces with the same vlan ID on both -vlink0 and -vlink1 and place them in two VDOMs so that the vlan traffic go through the NPU. Look at the KB below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-and-understanding-between-NPU-V...

 

Now all F-series FortiGates, including 40F, have one or more NPUs built in.

 

Toshi
 

johnlloyd_13
Contributor

hi,

thanks for the info!

i guess i need to create a new interface, create a common VLAN and /30 IP subnet and put each npu_vlink on a VDOM.

is the VLAN just internal on the FG? i.e it doesn't need to be an interface connected to an physical switch?

i.e. root to internet = VLAN 100, customer-A to internet = VLAN 200 and so on?

is the npu_vlink limited to just 2: vlink0 and linkv1?

what if i needed more NPU accelerated vlink for customer-A to internet VDOM pair and so forth?

Toshi_Esumi

NPU is internal, no direct connection to physical ports. Therefore all VLANs you put on the npu-vlink are internal. I would avoid overlapping them with other VLANs on those physical ports though. I don't know what would happen if you use the same VLAN ID on both npu-vlink and other ports.

If you meant "customer-A" is the 3rd VDOM in addition to root and internet. Yes, that's how you should use those VLANs on npu-vlink.

Yes. npu-vlink has only two interfaces. There might be mulitple npus like npu0, npu1, and so on, depending on models. 40F has only one as you know already.  You can use those two interfaces to bridge any pairs of VDOMs, like root-internet, say VLAN 100, root-Customer-A, VLAN 200, Customer-A-root, VLAN 300 (only three pairs are needed among 3 VDOMs). 40F supports only up to 10 VDOMs so the max you might need to have would be 9+8+7+6+5+4+3+2+1=45 VLANs.  I would assume the NPU on 40F is capable to cover way more than that.

 

Toshi

johnlloyd_13
Contributor

hi,

thanks! i managed to create NPU VDOM link using VLAN for root-internet.

i also managed to create static route and FW policy and root VDOM was able to get internet and able to reach fortiguard cloud.

i'll probably use a "higher" VLAN number, i.e. 4001, 4002, etc. to avoid mixing with customers using lower VLAN number used for physical sub-interface ports.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors