This article explains how to configure Bidirectional Forwarding Detection (BFD) for BGP neighbors for sites in your account.
BFD is a detection protocol, that is used to provide fast path error detection. The BFD mechanism allows fast routing convergence to happen, meaning BGP failover.
Cato follows BFD RFCs 5880, 5881, and 5882.
Once the BFD peer detects a failure, it notifies the BGP peer to close the session and trigger failover to the secondary path. When you do not configure BFD, the BGP session will be torn down only according to the BGP hold time, which is configured as 60 seconds by default.
-
Speeding up BGP convergence - BFD can quickly detect connection issues and trigger the routing protocol to move to an alternative failover path for Cato sites.
For example, BGP convergence for IPsec sites can take up to 60 seconds without BFD. After BFD is configured for a site, the default detection time is approximately 5 seconds.
-
The acceptable settings for BFD time interval (transmit and receive) is between 100 and 1800 milliseconds.
Note: The transmit and receive intervals should fall within the range of 2 to 20 packets in order to work optimally.
-
BFD Asynchronous Mode is supported by default (Echo Mode, Demand Mode, and BFD authentication mechanisms aren't supported).
-
BFD is supported for IPSec and Cloud Interconnect sites.
Note
Note: Cato supports BFD in the asynchronous mode.
To establish a BFD session, enable and configure BFD in Cato Management Application, as well as on the remote peer. When the BFD session is established, BFD timers are negotiated, and BFD peers initiate exchange of control packets at the agreed-upon interval settings (BFD is initiated by Cato by default if there is at least one BFD-enabled active peer).
The effective detection time of a BFD session is determined by the local detection multiplier, the minimum receive interval, and the minimum transmit interval for BFD packets. The formula for calculating detection time is as follows:
Note
Note: If different BFD profiles exist, only the profile with the lowest detection time is used.
Using BFD for Cloud Interconnect Sites is considered a best practice. Setting the BFD transmit and receive intervals has a significant impact on network conditions, intervals that are too small can cause network instability, and intervals that are too large can reduce BFD effectiveness.
The default BFD values (500 ms transmit, 500 ms receive, and a multiplier of 3) are generally optimal for BFD performance over L2 connections, but you can adjust these settings according to your site type if needed.
Each cloud provider defines a different default value. For example, AWS defines the default value for Direct Connect BFD to be 300 ms and a multiplier of 3.
Using BFD for IPSec sites can dramatically improve the convergence time and the stability of your network. However, it's important to note that IPsec tunnels are internet-based connections with latency around 10-20 ms.
Therefore, too small a detection time can cause network instability, and intervals that are too large can reduce BFD effectiveness.
The default BFD values (1000 ms transmit, 1000 ms receive, and a multiplier of 5) are generally optimal for BFD performance over an internet connection, but you can adjust these settings according to your site type if needed.
Note
Note: Make sure that you have the vendor documentation for specific default values and instructions for configuring BFD.
Also, after you modify the BFD timers, make sure to disable and then enable the BFD session for the timers to be implemented. If you do not reset the BFD session, your changes are ignored.
This section explains how to define BFD settings for existing BGP peers or configure BFD for a new BGP peer.
For more about creating a new BGP neighbor, see Defining BGP Neighbors.
To configure BFD settings for a site:
-
From the navigation menu, click Network > Sites and select the site.
-
From the navigation menu, click Site Settings > BGP.
-
Click New to create a new BGP peer or edit an existing one. The Edit BGP Neighbor panel opens.
-
In the Additional Settings section, select Enable BFD and configure these settings:.
-
Transmit interval - The interval at which BFD control packets are sent over the network.
-
Receive interval - The minimum accepted interval at which BFD control packets are received over the network from the neighbor.
-
Multiplier - The BFD detection time when changes in transmit and receive intervals occur.
-
-
Click Apply, and then click Save.
You can monitor the status of BFD for your BGP neighbors and their events as follows:
-
BFD Status - You can see the BFD status as part of the BGP settings in Site Configuration > BGP and click the Show BGP Status button. The BFD Status is Up or Down.
-
BFD Events - In Monitoring > Events, you can inspect dedicated BFD events by filtering event type Routing, and sub-type BFD Session.
You can also view the BGP Disconnected Error Code field, for cases when the BFD session tears down the BGP session with the CeaseBfdDown reason.
2 comments
Hi,
the known limitations area is ambiguous as it states “BFD is supported for IPSec and Cloud Interconnect sites.” without the word “only”. the support clarified that for me, but maybe, you would like to update the known limitations to make the sentence waterproof.
BR
Uwe
Uwe Thies - Excellent point! Thanks for the comment, we updated the article.
Please sign in to leave a comment.