|
BGP is perhaps the most widely used and dependable routing protocol on the Internet, and it even plays a significant role in linking large businesses.
In this case, redundant routing mechanisms and the fastest route failovers in the setup are significant.
Configure the following timers to the lowest values as needed to enable the fastest route failovers:
scan-time, advertisement-interval, keep-alive-timer, and holdtime-timer.
CLI Syntax:
config router bgp
set scan-time 'integer' <- Background scanner interval(sec), 0 to disable it
(integer= Minimum value: 5. Maximum value: 60, Default:60.)
end
config router bgp
config neighbor/neighbor-group
edit 'ip'/'name'
set advertisement-interval 'integer' <- Minimum interval(sec) between sending updates.
(integer= Minimum value: 1 Maximum value: 600, default:30).
set keep-alive-timer 'integer' <- Keep alive timer interval (sec).
(integer= Minimum value: 0 Maximum value: 65535) (default: <Global BGP value>).
set holdtime-timer 'integer' <- Number of seconds to mark peer as dead.
(integer= Minimum value: 3 Maximum value: 65535, or special:<0>) (default: <Global BGP value>).
end
Example:
config router bgp
set keepalive-timer 5
set holdtime-timer 15
set scan-time 59
config neighbor
edit "10.10.20.1"
set advertisement-interval 2
set link-down-failover enable
set connect-timer 2
next
end
In the case of IPsec, there are 2 more values that can be modified under DPD (dead peer detection):
- Retry count (default: 3).
- Retry interval (default: 20 Seconds).
Example :
config vpn ipsec phase1-interface
edit "IPsec_tunnel"
set dpd-retrycount 2
set dpd-retryinterval 10
next
end
For IPsec, reduce the DPD retry count and retry interval settings to accelerate the detection of dead remote gateways. For example, by setting the retry count and retry interval to 2 and 10, respectively, the time Fortigate takes to detect a dead gateway is reduced to 30 seconds: a 10 second idle time plus 20 seconds from two unanswered DPD messages.
Very often in scenarios with SD-WAN and ADVPN, BGP is configured on top of the IPsec tunnel. By default, FortiGate does not bring a peering down if the outgoing/binding interface is down. Instead, FortiGate actually waits for the hold time to expire.
FortiOS provides a mechanism to bring down the peering immediately if the binding interface is down. For example, when the IPsec tunnel is down. Using this approach is worth considering if the IPsec tunnel flaps often, as it will mean BGP will very often go down and then up again.
Another way is to adjust the 'hold time-timer'. The default value is 180 seconds:
config router bgp
set holdtime-timer 180 <- Default value is 180 seconds.
config neighbor
edit 192.168.4.1
set link-down-failover enable <- Disabled by default.
next
end
end
For sub-second failover consider implementing BFD, first it needs to be enabled under config system settings:
config system settings
set bfd enable
end
And finally it has to be enabled per-peer:
config router bgp
set as 65001
config neighbor
edit 172.16.1.1
set bfd enable
set remote-as 65002
next
end
BFD Timers may be set for the whole FortiGate globally:
config system settings
set bfd {enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>
end
Alternatively, they can be set per interface:
config system interface
edit <interface-name>
set bfd {global | enable | disable}
set bfd-desired-min-tx <ms>
set bfd-required-min-rx <ms>
set bfd-detect-mult <multiplier>
next
end
|
