Description
This article describes the Bidirectional Forwarding Detection implementation and examples.
A few words about BFD:
- Mechanism detecting a one way device failure.
- Used for faster convergence of routing protocols.
- Independent interface media, routing, or data protocol.
- Draft RFCs with multiple encapsulation types.
- FortiGate uses unicast packet, UDP port 3784 (not routable)
- BFD vs "Fortinet Dead Gateway Detection" (DGD)
DGD
- Simple mechanism, no specific protocol needed on the “ping server”
- Based on ping, hence a L3 routable packet that can detect problems on a far end network
BFD
-
Fast convergence (<1s)
-
Devices must be on the same subnet
-
Interoperable support of BFD required between vendors
-
Designed for OSPF and BGP
FortiGate BFD/OSPF operation described in the following scenarios
If BFD is configured but not OSPF, no BFD packets are sent.
When OSPF is operational, we see BFD neighbours together with OSPF neighbours.
BFD failure due to remote router (neighbor) failure.
Starting from the previous state (BFD neighbor is up) the BFD failure detection in this case is immediately followed by a withdrawal of the failed OSPF neighbour, triggering route reconvergence.
BFD packets seen from the CLI sniffer
FGT # diagnose sniffer packet any "udp port 3784" 6
0.514603 port7 in 192.168.11.53.49161 -> 192.168.11.54.3784: udp 24
0.514603 port7 in 192.168.11.53.49161 -> 192.168.11.54.3784: udp 24
0x0000 0000 0000 0001 0009 0f12 b95e 0800 4500 ...........^..E.
0x0010 0034 508b 0000 ff11 d371 c0a8 0b35 c0a8 .4P......q...5..
0x0020 0b36 c009 0ec8 0020 ee8f 20c0 0318 0000 .6..............
0x0030 000a 0000 000d 0000 c350 0000 c350 0000 .........P...P..
0x0040 0000 ..
0.530202 port7 out 192.168.11.54.49164 -> 192.168.11.53.3784: udp 24
0x0000 0000 0000 0000 0009 0f12 bcfe 0800 4500 ..............E.
0x0010 0034 c08f 0000 ff11 636d c0a8 0b36 c0a8 .4......cm...6..
0x0020 0b35 c00c 0ec8 0020 ee8c 20c0 0318 0000 .5..............
0x0030 000d 0000 000a 0000 c350 0000 c350 0000 .........P...P..
0x0040 0000 ..
BFD packets seen with a packet decoder
Scope
FortiGate or VDOM operating in NAT Mode and running OSPF or BGP.
Solution
| Step 1 : BFD must be configured globally and per interface (per neighbor if used for BGP) Default = 50ms ; threshold = 3 FGT # config system settings FGT(settings) # set bfd enable
FGT # config system interface FGT(interface) # edit port7 FGT(port7) # set bfd enable
|
|
Step 2 : configuration at protocol level
Configuration example at OSPF level
Configuration example at BGP level
|
|
Verification with CLI commands
TestFGT_5 # get router info bgp neighbors
BGP neighbor is 192.168.3.254, remote AS 65254, local AS 65250, external link
TestFGT_5 # get router info bfd neighbor
OurAddr NeighAddr LD/RD State Int 192.168.3.250 192.168.3.254 4/1 UP port7 |
Note:
- state : returns the current state of BFD (UP).
- LD/RD : BFD Local Discriminator / Remote Discriminator used in this BFD session .
- LD/RD : BFD Local Discriminator / Remote Discriminator used in this BFD session .
- From v7.2.0 onward we can configure the multi-hop BFD.
Refer below doc for more information:
https://docs.fortinet.com/document/fortigate/7.2.0/new-features/729892/bfd-for-multihop-path-for-bgp
Related Articles
Technical Note : How to implement BGP route summary (aggregation) on a FortiGate
