Tag Archives: vdom links

Using VLANs to add more accelerated Inter-VDOM links

Using VLANs to add more accelerated Inter-VDOM links

You can add VLAN interfaces to the accelerated inter-VDOM links to create inter-VDOM links between more VDOMs. For the links to work, the VLAN interfaces must be added to the same inter-VDOM link, must be on the same subnet, and must have the same VLAN ID.

For example, to accelerate inter-VDOM link traffic between VDOMs named Marketing and Engineering using VLANs with VLAN ID 100 go to System > Network > Interfaces and select Create New to create the VLAN interface associated with the Marketing VDOM:

Name                                           Marketing-link

Type                                            VLAN

Interface                                     npu0-vlink0

VLAN ID                                      100

Virtual Domain                          Marketing

IP/Network Mask                       172.20.120.12/24

 

Create the inter-VDOM link associated with Engineering VDOM:

Name                                           Engineering-link

Type                                            VLAN

Interface                                     npu0-vlink1

VLAN ID                                      100

Virtual Domain                          Engineering

IP/Network Mask                       172.20.120.22/24

 

Or do the same from the CLI:

 

config system interface edit Marketing-link

set vdom Marketing

set ip 172.20.120.12/24 set interface npu0-vlink0 set vlanid 100

next

edit Engineering-link set vdom Engineering

set ip 172.20.120.22/24 set interface npu0-vlink1 set vlanid 100

Configuring Inter-VDOM link acceleration with NP4 processors

Configuring Inter-VDOM link acceleration with NP4 processors

FortiGate units with NP4 processors include inter-VDOM links that can be used to accelerate inter-VDOM link traffic.

Traffic is blocked if you enable IPS for traffic passing over inter-VDOM links if that traffic is being offloaded by an NP4 processor.If you disable NP4 offloading traffic will be allowed to flow. You can disable offloading in individual firewall policies by dis- abling auto-asic-offload for those policies. You can also use the following com- mand to disable all IPS offloading

config ips global

set np-accel-mode none set cp-accel-mode none

end

 

  • For a FortiGate unit with two NP4 processors there are also two inter-VDOM links, each with two interfaces:
  • npu0-vlink: npu0-vlink0 npu0-vlink1
  • npu1-vlink: npu1-vlink0 npu1-vlink1

These interfaces are visible from the GUI and CLI. For a FortiGate unit with NP4 interfaces, enter the following CLI command (output shown for a FortiGate-5001B):

get hardware npu np4 list

 

 

 

ID

 

 

Model

 

 

Slot

 

 

Interface

0 On-board   port1 port2 port3 port4
      fabric1 base1 npu0-vlink0 npu0-vlink1
1 On-board   port5 port6 port7 port8
      fabric2 base2 npu1-vlink0 npu1-vlink1

By default the interfaces in each inter-VDOM link are assigned to the root VDOM. To use these interfaces to

accelerate inter-VDOM link traffic, assign each interface in a pair to the VDOMs that you want to offload traffic between. For example, if you have added a VDOM named New-VDOM to a FortiGate unit with NP4 processors, you can go to System > Network > Interfaces and edit the npu0-vlink1 interface and set the Virtual Domain to NewVDOM.

This results in an inter-VDOM link between root and New-VDOM. You can also do this from the CLI:

config system interface edit npu0-vlink1

set vdom New-VDOM

end