Hi,
I am trying to understand what will the performance impact of adding a new VDOM that will be used as site-to-site VPN concentrator. Total number of IPSec VPN tunnels will be about 100 with summary throughput up to 2Gbps. Quite possible the number of IPSec tunnels will grow in the future. Does Fortinet have any best practices for this kind of scenario?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Although I don't know if such documentation is available, I wouldn't expect much difference. But if NP6 supported model, make sure to follow the doc below so use the same NPU from ingress to egress of VPN traffic. That definitely affects to VPN performance.
toshiesumi wrote:Hi,Although I don't know if such documentation is available, I wouldn't expect much difference. But if NP6 supported model, make sure to follow the doc below so use the same NPU from ingress to egress of VPN traffic. That definitely affects to VPN performance.
Do you have an explaination ? I don't understand why it would cause an impact (most of FGT has an ISF)
Lucas
I don't know if NPU offloading can actually happen when the ingress belongs to npu0 and the vdom-link to hand out belongs to npu1 (maybe described at somewhere in the doc). But easily understand it needed to be pulled out from the NPU back to the CPU to put back in another NPU. Then same thing needs to happen on the egress vdom if npu mismatches there as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1072 | |
751 | |
443 | |
219 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.