Fortinet white logo
Fortinet white logo

Administration Guide

BFD for multihop path for BGP

BFD for multihop path for BGP

In BFD, a FortiGate can support neighbors connected over multiple hops. When BFD is down, BGP sessions are reset and will try to immediately re-establish neighbor connections. Previously, BFD was only supported when two routers or FortiGates were directly connected on the same network.

config router {bfd | bfd6}
    config multihop-template
        edit <ID>
            set src <class_IP/netmask>
            set dst <class_IP/netmask>
            set bfd-desired-min-tx <integer>
            set bfd-required-min-rx <integer>
            set bfd-detect-mult <integer>
            set auth-mode {none | md5}
            set md5-key <password>
        next
    end
end

src <class_IP/netmask>

Enter the source prefix.

dst <class_IP/netmask>

Enter the destination prefix.

bfd-desired-min-tx <integer>

Set the BFD desired minimal transmit interval, in milliseconds (100 - 30000, default = 250).

bfd-required-min-rx <integer>

Set the BFD required minimal transmit interval, in milliseconds (100 - 30000, default = 250).

bfd-detect-mult <integer>

Set the BFD detection multiplier (3 - 50, default = 3).

auth-mode {none | md5}

Set the authentication mode (none or meticulous MD5).

md5-key <password>

Enter the password.

Example

This example includes IPv4 and IPv6 BFD neighbor configurations. The BFD neighbor is also a BGP neighbor that is in a different AS.

To configure BFD with multihop BGP paths:
  1. Enable BFD on all interfaces:
    config system settings
        set bfd enable
    end
  2. Enable BFD on port1 and ignore the global configuration:
    config system interface
        edit "port1"
            set bfd enable
        next
    end
  3. Configure the BGP neighbors:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        config neighbor
            edit "172.16.201.2"
                set bfd enable
                set ebgp-enforce-multihop enable
                set soft-reconfiguration enable
                set remote-as 65050
            next
            edit "2000:172:16:201::2"
                set bfd enable
                set ebgp-enforce-multihop enable
                set soft-reconfiguration enable
                set remote-as 65050
            next
        end
    end
  4. Configure the IPv4 BFD:
    config router bfd
        config multihop-template
            edit 1
                set src 172.16.200.0 255.255.255.0
                set dst 172.16.201.0 255.255.255.0
                set auth-mode md5
                set md5-key **********
            next
        end
    end
  5. Configure the IPv6 BFD:
    config router bfd6
        config multihop-template
            edit 1
                set src 2000:172:16:200::/64
                set dst 2000:172:16:201::/64
            next
        end
    end

Testing the connection

  1. Verify the BFD status for IPv4 and IPv6:
    # get router info bfd requests
    BFD Peer Requests:
        client types(ct in 0x): 01=external 02=static
            04=ospf 08=bgp 10=pim-sm
    src=172.16.200.1     dst=172.16.201.2     ct=08 ifi=9 type=SM
    # get router info bfd neighbor
    OurAddress      NeighAddress    State       Interface       LDesc/RDesc
    172.16.200.1    172.16.201.2    UP          port1           5/3/M
    
    # get router info6 bfd requests
    BFD Peer Requests:
        client types(ct in 0x): 01=external 02=static
            04=ospf 08=bgp 10=pim-sm
    src=2000:172:16:200::1
    dst=2000:172:16:201::2
    ct=08 ifi=9 type=SM
    
    # get router info6 bfd neighbor
    OurAddress: 2000:172:16:200::1
    NeighAddress: 2000:172:16:201::2
    State: UP Interface: port1 Desc: 6/4 Multi-hop
  2. Verify the BGP status and the BGP routing table:
    # get router info bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 11
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     185     187       10    0    0 00:54:20        4
    2000:172:16:201::2 4      65050     159     160       10    0    0 00:54:24        4
    
    Total number of neighbors 2
    
    # get router info routing-table bgp
    Routing table for VRF=0
    B       172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    
    # get router info6 bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 8
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     185     187        7    0    0 00:54:24        3
    2000:172:16:201::2 4      65050     159     160        7    0    0 00:54:28        3
    
    Total number of neighbors 2
    
    # get router info6 routing-table bgp
    Routing table for VRF=0
    B       2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
    B       2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
    B       2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
  3. Simulate a disruption to the BFD connection. The BFD neighbor is lost:
    # get router info bfd neighbor
    OurAddress      NeighAddress    State       Interface       LDesc/RDesc
    
    # get router info6 bfd neighbor
  4. The BGP neighbor is reset, and the FortiGate attempts to re-establish a connection with the neighbor. The timers are reset once the neighbor connection is re-established:
    # get router info bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 12
    4 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd  
    172.16.201.2       4      65050     189     192       11    0    0 00:00:11        4
    2000:172:16:201::2 4      65050     165     167       12    0    0 00:00:08        4
    
    Total number of neighbors 2
    
    # get router info6 bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 10
    4 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     189     192        8    0    0 00:00:15        3
    2000:172:16:201::2 4      65050     165     167        9    0    0 00:00:12        3
    
    Total number of neighbors 2
  5. The BGP routes are learned again, and there are new timers in the route tables:
    # get router info routing-table bgp
    Routing table for VRF=0
    B       172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    # get router info6 routing-table bgp
    Routing table for VRF=0
    B       2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13
    B       2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13
    B       2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13

BFD for multihop path for BGP

BFD for multihop path for BGP

In BFD, a FortiGate can support neighbors connected over multiple hops. When BFD is down, BGP sessions are reset and will try to immediately re-establish neighbor connections. Previously, BFD was only supported when two routers or FortiGates were directly connected on the same network.

config router {bfd | bfd6}
    config multihop-template
        edit <ID>
            set src <class_IP/netmask>
            set dst <class_IP/netmask>
            set bfd-desired-min-tx <integer>
            set bfd-required-min-rx <integer>
            set bfd-detect-mult <integer>
            set auth-mode {none | md5}
            set md5-key <password>
        next
    end
end

src <class_IP/netmask>

Enter the source prefix.

dst <class_IP/netmask>

Enter the destination prefix.

bfd-desired-min-tx <integer>

Set the BFD desired minimal transmit interval, in milliseconds (100 - 30000, default = 250).

bfd-required-min-rx <integer>

Set the BFD required minimal transmit interval, in milliseconds (100 - 30000, default = 250).

bfd-detect-mult <integer>

Set the BFD detection multiplier (3 - 50, default = 3).

auth-mode {none | md5}

Set the authentication mode (none or meticulous MD5).

md5-key <password>

Enter the password.

Example

This example includes IPv4 and IPv6 BFD neighbor configurations. The BFD neighbor is also a BGP neighbor that is in a different AS.

To configure BFD with multihop BGP paths:
  1. Enable BFD on all interfaces:
    config system settings
        set bfd enable
    end
  2. Enable BFD on port1 and ignore the global configuration:
    config system interface
        edit "port1"
            set bfd enable
        next
    end
  3. Configure the BGP neighbors:
    config router bgp
        set as 65412
        set router-id 1.1.1.1
        config neighbor
            edit "172.16.201.2"
                set bfd enable
                set ebgp-enforce-multihop enable
                set soft-reconfiguration enable
                set remote-as 65050
            next
            edit "2000:172:16:201::2"
                set bfd enable
                set ebgp-enforce-multihop enable
                set soft-reconfiguration enable
                set remote-as 65050
            next
        end
    end
  4. Configure the IPv4 BFD:
    config router bfd
        config multihop-template
            edit 1
                set src 172.16.200.0 255.255.255.0
                set dst 172.16.201.0 255.255.255.0
                set auth-mode md5
                set md5-key **********
            next
        end
    end
  5. Configure the IPv6 BFD:
    config router bfd6
        config multihop-template
            edit 1
                set src 2000:172:16:200::/64
                set dst 2000:172:16:201::/64
            next
        end
    end

Testing the connection

  1. Verify the BFD status for IPv4 and IPv6:
    # get router info bfd requests
    BFD Peer Requests:
        client types(ct in 0x): 01=external 02=static
            04=ospf 08=bgp 10=pim-sm
    src=172.16.200.1     dst=172.16.201.2     ct=08 ifi=9 type=SM
    # get router info bfd neighbor
    OurAddress      NeighAddress    State       Interface       LDesc/RDesc
    172.16.200.1    172.16.201.2    UP          port1           5/3/M
    
    # get router info6 bfd requests
    BFD Peer Requests:
        client types(ct in 0x): 01=external 02=static
            04=ospf 08=bgp 10=pim-sm
    src=2000:172:16:200::1
    dst=2000:172:16:201::2
    ct=08 ifi=9 type=SM
    
    # get router info6 bfd neighbor
    OurAddress: 2000:172:16:200::1
    NeighAddress: 2000:172:16:201::2
    State: UP Interface: port1 Desc: 6/4 Multi-hop
  2. Verify the BGP status and the BGP routing table:
    # get router info bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 11
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     185     187       10    0    0 00:54:20        4
    2000:172:16:201::2 4      65050     159     160       10    0    0 00:54:24        4
    
    Total number of neighbors 2
    
    # get router info routing-table bgp
    Routing table for VRF=0
    B       172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    B       172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
    
    # get router info6 bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 8
    3 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     185     187        7    0    0 00:54:24        3
    2000:172:16:201::2 4      65050     159     160        7    0    0 00:54:28        3
    
    Total number of neighbors 2
    
    # get router info6 routing-table bgp
    Routing table for VRF=0
    B       2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
    B       2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
    B       2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
  3. Simulate a disruption to the BFD connection. The BFD neighbor is lost:
    # get router info bfd neighbor
    OurAddress      NeighAddress    State       Interface       LDesc/RDesc
    
    # get router info6 bfd neighbor
  4. The BGP neighbor is reset, and the FortiGate attempts to re-establish a connection with the neighbor. The timers are reset once the neighbor connection is re-established:
    # get router info bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 12
    4 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd  
    172.16.201.2       4      65050     189     192       11    0    0 00:00:11        4
    2000:172:16:201::2 4      65050     165     167       12    0    0 00:00:08        4
    
    Total number of neighbors 2
    
    # get router info6 bgp summary
    VRF 0 BGP router identifier 1.1.1.1, local AS number 65412
    BGP table version is 10
    4 BGP AS-PATH entries
    0 BGP community entries
    
    Neighbor           V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    172.16.201.2       4      65050     189     192        8    0    0 00:00:15        3
    2000:172:16:201::2 4      65050     165     167        9    0    0 00:00:12        3
    
    Total number of neighbors 2
  5. The BGP routes are learned again, and there are new timers in the route tables:
    # get router info routing-table bgp
    Routing table for VRF=0
    B       172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    B       172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
    # get router info6 routing-table bgp
    Routing table for VRF=0
    B       2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13
    B       2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13
    B       2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13