hi,
i'm trying to configure a VDOM link between 'root' and a separate VDOM 'internet' which provides public/internet access. i tried to configure first a plain VDOM link but when i try to edit, i can't add it to an 'npu_vlink' interface.
but when i tried to create the reverse, i.e. i created npu0_vlink0 for 'root' with a /30 IP address, and npu0_vlunk1 for 'internet', i cant' add the inter VDOM link. see attached photos.
my questions:
1. can FG 40F support NPU enabled VDOM link?
2. do i just create a "plain" VDOM link without NPU acceleration?
3. what are the correct step/sequence to create VDOM link with NPU acceleration in a 40F?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 05-27-2023 09:36 AM Edited on 05-27-2023 09:40 AM
NPU is internal, no direct connection to physical ports. Therefore all VLANs you put on the npu-vlink are internal. I would avoid overlapping them with other VLANs on those physical ports though. I don't know what would happen if you use the same VLAN ID on both npu-vlink and other ports.
If you meant "customer-A" is the 3rd VDOM in addition to root and internet. Yes, that's how you should use those VLANs on npu-vlink.
Yes. npu-vlink has only two interfaces. There might be mulitple npus like npu0, npu1, and so on, depending on models. 40F has only one as you know already. You can use those two interfaces to bridge any pairs of VDOMs, like root-internet, say VLAN 100, root-Customer-A, VLAN 200, Customer-A-root, VLAN 300 (only three pairs are needed among 3 VDOMs). 40F supports only up to 10 VDOMs so the max you might need to have would be 9+8+7+6+5+4+3+2+1=45 VLANs. I would assume the NPU on 40F is capable to cover way more than that.
Toshi
npu0-vlink0 and 1 both live in root vdom, which you can't move. Therefore, you can't assign IPs from the same subnet to two different interfaces in the same vdom.
To create a link between two different VDOMs through the NPU, you need to create a pair of VLAN interfaces with the same vlan ID on both -vlink0 and -vlink1 and place them in two VDOMs so that the vlan traffic go through the NPU. Look at the KB below:
Now all F-series FortiGates, including 40F, have one or more NPUs built in.
Toshi
hi,
thanks for the info!
i guess i need to create a new interface, create a common VLAN and /30 IP subnet and put each npu_vlink on a VDOM.
is the VLAN just internal on the FG? i.e it doesn't need to be an interface connected to an physical switch?
i.e. root to internet = VLAN 100, customer-A to internet = VLAN 200 and so on?
is the npu_vlink limited to just 2: vlink0 and linkv1?
what if i needed more NPU accelerated vlink for customer-A to internet VDOM pair and so forth?
Created on 05-27-2023 09:36 AM Edited on 05-27-2023 09:40 AM
NPU is internal, no direct connection to physical ports. Therefore all VLANs you put on the npu-vlink are internal. I would avoid overlapping them with other VLANs on those physical ports though. I don't know what would happen if you use the same VLAN ID on both npu-vlink and other ports.
If you meant "customer-A" is the 3rd VDOM in addition to root and internet. Yes, that's how you should use those VLANs on npu-vlink.
Yes. npu-vlink has only two interfaces. There might be mulitple npus like npu0, npu1, and so on, depending on models. 40F has only one as you know already. You can use those two interfaces to bridge any pairs of VDOMs, like root-internet, say VLAN 100, root-Customer-A, VLAN 200, Customer-A-root, VLAN 300 (only three pairs are needed among 3 VDOMs). 40F supports only up to 10 VDOMs so the max you might need to have would be 9+8+7+6+5+4+3+2+1=45 VLANs. I would assume the NPU on 40F is capable to cover way more than that.
Toshi
hi,
thanks! i managed to create NPU VDOM link using VLAN for root-internet.
i also managed to create static route and FW policy and root VDOM was able to get internet and able to reach fortiguard cloud.
i'll probably use a "higher" VLAN number, i.e. 4001, 4002, etc. to avoid mixing with customers using lower VLAN number used for physical sub-interface ports.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.