|
|
|
In This Section: |
From R80.20, the Gaia OS supports Bidirectional Forwarding Detection (BFD). See RFC 5880 and RFC 5881 for more information.
In a ClusterXL High Availability mode, only the Active member sends and accepts BFD packets.
In a VRRP cluster, only the Master member sends and accepts BFD packets.
ClusterXL Standby and VRRP Backup cluster members do not send or accept BFD packets. They treat all their peer cluster members as reachable.
From R80.30, the Gaia OS supports BFD in Static Routes. BFD for static routes uses BFD protocol to monitor reachability of a BFD peer and updates the status of an associated static route nexthop in accordance to the reachability status. The status of the static route nexthop is "down", if that BFD peer is unreachable.
BFD can be authenticated on a given address range, with specified authentication type, key id, and shared secret. If BFD authentication is already enabled on the address range, you can add another key (up to ten) with a unique key id, or replace the configured key.
BFD authentication is disabled by default
For BFD authentication to work properly, you must configure the local and remote BFD peers to:
Syntax
set ip-reachability-detection address <ARANGE> bfd-authtype (md5 | sha1 | meticulous-md5 | meticulous-sha1) key <KEYID> {secret <SECRET> | hex-secret <XSECRET>}
Item |
Description |
|---|---|
|
An address range. An address range consists of an IP address and mask length. For example: 0.0.0.0/0 (applies to all IPv4 addresses), 10.20.30.40/32 (applies to a single IPv4 address). Configuration in the range applies to any BFD sessions whose remote peer addresses are in the range. If ranges overlap, the narrowest range takes precedence. For example: 10.1.1.0/24 overrides 10.1.0.0/16. |
|
The BFD authentication type:
MD5 keys can be up to 16 bytes long. SHA1 keys can be up to 20 bytes long. Interoperability with other vendors may require that you limit keys to 15 and 16 bytes respectively. We recommended that you use sha1 or meticulous-sha1. See also RFC 5880. Gaia transmits only the key with the lowest key id number. Gaia accepts packets with any key. |
|
A number which uniquely identifies the key, if more than one is used. Must be exactly the same as on the remote peer. BFD supports the use of multiple keys (up to ten). Make sure that the sets of keys (key ids and shared secrets) are identical to those on the remote peer. Range: 0-255. |
|
Shared secret, as a text string, one byte per character. For example:
|
|
Equivalent to SECRET. You can specify the shared secret in hexadecimal notation, with two digits per byte. For example:
|
To remove BFD authentication for an address range, run:
set ip-reachability-detection address <ARANGE> bfd-authtype delete
Or
set ip-reachability-detection address <ARANGE> off
To remove a given key from the configuration:
set ip-reachability-detection address <ARANGE> bfd-authtype <ATYPE> key <KEYID> off
This can disable BFD authentication if no more keys are left.
To disable BFD authentication for a given address range:
set ip-reachability-detection address <ARANGE> bfd-authtype none
This deletes any keys configured for that address range and overrides any broader address ranges which overlap it.
To change the authentication type for a given address range:
set ip-reachability-detection address <ARANGE> bfd-authtype <ATYPE>
The detect multiplier, minimum RX interval and minimum TX interval settings, from both sides, set the detection time (timeout) that BFD uses. The minimum interval and the detect multiplier, multiplied together, make the timeout. Best Practice - We recommend that the calculated timeout be at least 1 second, preferably 3 seconds (or more) for reliability. For more details, see RFC 5880.
If you have clusters, make sure the calculated timeout for Gaia is longer than the time necessary for the cluster to complete an unattended failover in your environment. We recommend that you first test failover in your environment
The BFD interval Clish commands are global for all BFD sessions on a host or Virtual System.
Syntax
set ip-reachability-detection bfd-{detect-multiplier <multiplier> | min-rx-interval <number_of_mses> | min-tx-interval <number_of_mses>}
Parameter |
Description |
|---|---|
|
Sets the BFD detect multiplier that the system advertises. It determines the remote system timeout. Smaller values produce quicker detection, larger values have better reliability. The Gaia default of 300ms and 10, makes 3 secondsIf the remote peer’s detect multiplier is 1, the detection time on a Gaia gateway increases by 12.5% above the RFC 5880 specification, to improve reliability.
|
min-rx-interval <number_of_mses> |
Sets the BFD minimal RX interval that the system advertises, in milliseconds. It sets the local system timeout and the rate at which the remote system transmits packets. Smaller values produce quicker detection, larger values reduce network load.
|
|
Sets the BFD minimal TX interval that this system advertises, in milliseconds. It sets the remote system timeout and the rate at which the local system transmits packets. Smaller values produce quicker detection, larger values reduce network load.
|
You can see the basic BFD settings (configured or default), and a table of the peer IP addresses and their statuses.
Run:
show ip-reachability-detection summary
Output example for IPv4:
BFD Minimum TX Interval: 300 ms BFD Minimum RX Interval: 300 ms BFD Detect Multiplier: 10 Remote Address Protocol Reachable 10.1.3.13 _ _ _ _ _ _ _ _ _ _ BFD No 10.1.254.1 _ _ _ _ _ _ _ _ _ _ BFD Yes |
Output example for IPv6:
BFD Minimum TX Interval: 300 ms BFD Minimum RX Interval: 300 ms BFD Detect Multiplier: 10 Remote Address Protocol Reachable 10.10.13.1 _ _ _ _ _ _ _ _ _ _ BFD Yes 10.10.13.11 _ _ _ _ _ _ _ _ _ BFD Yes 10.10.34.4 _ _ _ _ _ _ _ _ _ _ BFD Yes 13::1 _ _ _ _ _ _ _ _ _ _ _ BFD Yes 34::4 _ _ _ _ _ _ _ _ _ _ _ BFD Yes fe80::a1 (bond212) _ _ _ _ _ _ _ BFD Yes |
For a more detailed BFD report, run:
show ip-reachability-detection detailed
For the maximum level of detail, run:
show ip-reachability-detection ip-address <IP>
Item |
Description |
|---|---|
|
IP address of the peer. |
|
Is BFD used? |
|
Is the peer reachable (according to the BFD protocol state)? |
|
How long in current status (uptime or downtime)? |
|
BFD protocol-specific data. |
|
State, and if state is not Up, diagnostic code. |
|
Intervals advertised by us and the peer; detect multiplier advertised by the peer (as in RFC 5880). |
|
Failure detection time. It is often longer when the connection is already down (as shown here) than when it is up. Rounded to the nearest tenth of a second. |
|
BFD packets received for this session: total count and time since the last accepted packet. |
|
Count by reason of BFD packets received but rejected. These counters do not include packets not received by the interface, packets dropped by the firewall, invalid BFD packets, or unidentified as part of the session. Counts are reset on boot, when BFD session is deleted, or if routed restarts. |
|
|
|
Mismatch: The two endpoints have different authentication configurations (mismatch of authentication type or key ID). For example, one uses BFD authentication and the other does not. You may see this when you change configurations. |
|
Badly formatted authentication section in an otherwise valid BFD packet. Very rare. |
|
Sequence number of a received packet is out of order. If you see this for a short time, it indicates that a peer is reachable again or that the configuration changed. If this count continuously increases, it can indicate an attempted replay attack. |
|
The received packet has an incorrect message digest. This shows when the two peers do not have the same shared secret configured for BFD authentication. |
|
The discriminator in a BFD packet was zero, when that was not permitted. If you see this for a short time, it indicates that a peer, which was not reachable, is reachable again. |
|
IPv4 Time to Live (TTL) field of the packet was not equal to 255, as required by RFC 5881. Can indicate misconfiguration or attempted attack (Rare). |
|
Count of BFD packets sent out of the BFD module in this session, and when was the last packet sent. If the firewall drops a packet, it is counted here as transmitted and not as failed. |
|
A random, unique discriminator identifies a BFD session, on a Gaia machine. |
|
The UDP source port, from which BFD packets are sent by this host to this peer. |
Number of Transitions: 4 Last 10 Transitions: Current time is: Oct 30 12:58:05 State Time Not Reachable Oct 30 12:55:44 Reachable Oct 30 12:55:36 Not Reachable Oct 30 12:55:05 Reachable Oct 30 12:55:05 |
A record of recent transitions (reachable or not reachable) with this peer. The output shows the current date and time, for easy comparison with the date and time of the events. |
