Technical Tip: Move loopback interface to npu_vlink for IPSec/GRE

kyozloveyou_FTNT · ‎03-04-2024

Description

This article describes a way to migrate the loopback interface to npu_vlink to support a multihoming environment.

The advantages of using npu_vlink:

For NP6 models, IPSec traffic can offload to the NP to reduce CPU utilization as npu_vlink is the NPU interface.
For NP7 models, route change for multihoming for GRE formed in loopback is not supported. Thus, moving the loopback to npu_vlink is one of the alternatives.

The disadvantages of using npu_vlink:

Need for a design change as multi-vdom is required and the LAN subnet needs to move to the other VDOM. If the loopback uses a public IP, then the extra public is needed after the designed changed (1 IP for npu0_vlink0, another for npu0_vlink1 and both needed to be in the broadcast domain).

Scope

FortiGate.

Solution

Below is the topology before the changes:

Below is the topology after the changes:

Note:

The IP address in npu_vlink0 and npu_vlink1 need to be in the same subnet.

If more than 1 loopback is required, below are the solutions that can be done:

For NP6 models: create VLANS under npu_vlink, each VLAN representing each loopback via following this related KB article:
Using VLANs to add more accelerated inter-VDOM link interfaces
For NP7 models: Follow this related KB article to create multiple npu_vlink interface: Technical Tip: Create new npu_vlink for NP7 model