Description
This article describes the Bidirectional Forwarding Detection implementation and examples.
A few words about BFD:
- Mechanism detecting a one-way device failure.
- Used for faster convergence of routing protocols.
- Independent interface media, routing, or data protocol.
- Draft RFCs with multiple encapsulation types.
- FortiGate uses unicast packet, UDP port 3784 (not routable).
- BFD vs 'Fortinet Dead Gateway Detection' (DGD).
DGD:
- Simple mechanism, and no specific protocol is needed on the 'ping server'.
- Based on ping, hence an L3 routable packet that can detect problems on a far-end network.
BFD:
- Fast convergence (<1s).
- Devices must be on the same subnet.
- Interoperable support of BFD is required between vendors.
- Designed for OSPF and BGP.
BFD can be configured at multiple levels:
- Device level: Enables BFD for all interfaces and protocols on the FortiGate.
- Interface level: Overrides the device-level setting, allowing BFD to be enabled or disabled on specific interfaces.
- Protocol level: Enables BFD for a specific routing protocol such as BGP, regardless of interface settings.
The configuration hierarchy allows each lower level to override the BFD setting of the upper level. For example, If BFD is enabled at the device level, it can still be disabled at the interface or protocol level. This allows for flexible control over BFD behavior.
To configure BFD:
- Enable BFD at the required level (device, VDOM, or interface).
- Define a BFD neighbor.
- Enable BFD on the relevant route or routing protocol.
If BFD is configured but not OSPF, no BFD packets are sent.
When OSPF is operational, it is possible to see BFD neighbors together with OSPF neighbors.
BFD failure due to remote router (neighbor) failure.
Starting from the previous state (BFD neighbor is up) the BFD failure detection in this case is immediately followed by a withdrawal of the failed OSPF neighbor, triggering route reconvergence.
BFD packets are seen from the CLI sniffer:
0.514603 port7 in 192.168.11.53.49161 -> 192.168.11.54.3784: udp 24
BFD packets are seen with a packet decoder:
Scope
FortiGate or VDOM operating in NAT Mode and running OSPF or BGP.
Solution
Default = 50ms ; threshold = 3.
Configuration example at OSPF level
set bfd enable --> Default = disabled.
config ospf-interface
edit dmz
set bfd enable
config neighbor
edit 192.168.3.254
set bfd enable
set remote-as 65254
OurAddr NeighAddr LD/RD State Int
192.168.3.250 192.168.3.254 4/1 UP port7
- State: returns the current state of BFD (UP).
- LD/RD: BFD Local Discriminator / Remote Discriminator used in this BFD session.
- From v7.2.0 onward, it is possible to configure the multi-hop BFD.
Related documents:
Technical Note: How to implement BGP route summary (aggregation) on a FortiGate
Technical Tip: Configuring Bidirectional Forwarding Detection (BFD) for static routes