BFD for multihop path for BGP
In BFD, a FortiGate can support neighbors connected over multiple hops. When BFD is down, BGP sessions are reset and will try to immediately re-establish neighbor connections. Previously, BFD was only supported when two routers or FortiGates were directly connected on the same network.
config router {bfd | bfd6}
config multihop-template
edit <ID>
set src <class_IP/netmask>
set dst <class_IP/netmask>
set bfd-desired-min-tx <integer>
set bfd-required-min-rx <integer>
set bfd-detect-mult <integer>
set auth-mode {none | md5}
set md5-key <password>
next
end
end
|
src <class_IP/netmask> |
Enter the source prefix. |
|
dst <class_IP/netmask> |
Enter the destination prefix. |
|
bfd-desired-min-tx <integer> |
Set the BFD desired minimal transmit interval, in milliseconds (100 - 30000, default = 250). |
|
bfd-required-min-rx <integer> |
Set the BFD required minimal transmit interval, in milliseconds (100 - 30000, default = 250). |
|
bfd-detect-mult <integer> |
Set the BFD detection multiplier (3 - 50, default = 3). |
|
auth-mode {none | md5} |
Set the authentication mode (none or meticulous MD5). |
|
md5-key <password> |
Enter the password. |
Example
This example includes IPv4 and IPv6 BFD neighbor configurations. The BFD neighbor is also a BGP neighbor that is in a different AS.
To configure BFD with multihop BGP paths:
- Enable BFD on all interfaces:
config system settings set bfd enable end - Enable BFD on port1 and ignore the global configuration:
config system interface edit "port1" set bfd enable next end - Configure the BGP neighbors:
config router bgp set as 65412 set router-id 1.1.1.1 config neighbor edit "172.16.201.2" set bfd enable set ebgp-enforce-multihop enable set soft-reconfiguration enable set remote-as 65050 next edit "2000:172:16:201::2" set bfd enable set ebgp-enforce-multihop enable set soft-reconfiguration enable set remote-as 65050 next end end - Configure the IPv4 BFD:
config router bfd config multihop-template edit 1 set src 172.16.200.0 255.255.255.0 set dst 172.16.201.0 255.255.255.0 set auth-mode md5 set md5-key ********** next end end - Configure the IPv6 BFD:
config router bfd6 config multihop-template edit 1 set src 2000:172:16:200::/64 set dst 2000:172:16:201::/64 next end end
Testing the connection
- Verify the BFD status for IPv4 and IPv6:
# get router info bfd requests BFD Peer Requests: client types(ct in 0x): 01=external 02=static 04=ospf 08=bgp 10=pim-sm src=172.16.200.1 dst=172.16.201.2 ct=08 ifi=9 type=SM# get router info bfd neighbor OurAddress NeighAddress State Interface LDesc/RDesc 172.16.200.1 172.16.201.2 UP port1 5/3/M
# get router info6 bfd requests BFD Peer Requests: client types(ct in 0x): 01=external 02=static 04=ospf 08=bgp 10=pim-sm src=2000:172:16:200::1 dst=2000:172:16:201::2 ct=08 ifi=9 type=SM# get router info6 bfd neighbor OurAddress: 2000:172:16:200::1 NeighAddress: 2000:172:16:201::2 State: UP Interface: port1 Desc: 6/4 Multi-hop
- Verify the BGP status and the BGP routing table:
# get router info bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 11 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.201.2 4 65050 185 187 10 0 0 00:54:20 4 2000:172:16:201::2 4 65050 159 160 10 0 0 00:54:24 4 Total number of neighbors 2
# get router info routing-table bgp Routing table for VRF=0 B 172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32 B 172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32 B 172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32 B 172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:54:32
# get router info6 bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 8 3 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.201.2 4 65050 185 187 7 0 0 00:54:24 3 2000:172:16:201::2 4 65050 159 160 7 0 0 00:54:28 3 Total number of neighbors 2
# get router info6 routing-table bgp Routing table for VRF=0 B 2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40 B 2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40 B 2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:54:40
- Simulate a disruption to the BFD connection. The BFD neighbor is lost:
# get router info bfd neighbor OurAddress NeighAddress State Interface LDesc/RDesc
# get router info6 bfd neighbor
- The BGP neighbor is reset, and the FortiGate attempts to re-establish a connection with the neighbor. The timers are reset once the neighbor connection is re-established:
# get router info bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 12 4 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.201.2 4 65050 189 192 11 0 0 00:00:11 4 2000:172:16:201::2 4 65050 165 167 12 0 0 00:00:08 4 Total number of neighbors 2
# get router info6 bgp summary VRF 0 BGP router identifier 1.1.1.1, local AS number 65412 BGP table version is 10 4 BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.201.2 4 65050 189 192 8 0 0 00:00:15 3 2000:172:16:201::2 4 65050 165 167 9 0 0 00:00:12 3 Total number of neighbors 2
- The BGP routes are learned again, and there are new timers in the route tables:
# get router info routing-table bgp Routing table for VRF=0 B 172.28.1.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15 B 172.28.2.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15 B 172.28.5.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15 B 172.28.6.0/24 [20/0] via 172.16.201.2 (recursive via 172.16.200.4, port1), 00:00:15
# get router info6 routing-table bgp Routing table for VRF=0 B 2000:172:28:1::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13 B 2000:172:28:2::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13 B 2000:172:28:3::/64 [20/0] via 2000:172:16:201::2 (recursive via 2000:172:16:200::4, port1), 00:00:13