Configuring BFD on Nexus NX-OS

BDF is listed in the CCIE Data Center Lab Blueprint as, “1.2.c – Implement BFD for dynamic routing protocols”. In this blog post, I’ll be explaining BFD and going over it’s relevance for dynamic routing protocols. Without further ado.

Bidirectional Forwarding Detection (BFD) is a protocol designed to quickly detect failures in the forwarding-path, and notify the configured protocols (OSPF, EIGRP, BGP, HSRP, etc) immediately, before they’ve even had an opportunity to be aware of the failure themselves. This results in expedited, sub-second detection of failed forwarding-paths, leading to quicker convergence.

BFD on NX-OS runs in Asynchronous mode, where a BFD neighbor relationship session is formed between two adjacent devices, and they exchange control packets to monitor the session. The configurable parameters used in the session include:

Desired minimum transmit interval
– The Hello interval (Default of 50 milliseconds)
Required minimum transmit interval
– The minimum interval that the device can accept BFD hellos (Default of 50 milliseconds)
Detect multiplier
– The number of missing BFD Hellos before detecting a fault (Default of 3).

To visualize BFD, there is a great example of a BFD failure scenario in the NX-OS Interface Configuration Guide .

Router A and B have an OSPF neighbor relationship with BFD enabled.

bfd-failure-scenario

1. BFD neighbor session is torn down (OSPF neighbor in this case).
2. BFD notifies the local OSPF process on each side that the BFD neighbor is no longer reachable
3. The local OSPF process tears down the OSPF neighbor relationship.
4. If an alternative patch is available, routers immediately start to converge

With these default values, failure detection occurs in 150ms, much faster than OSPF hello messages could detect.

Configure BFD

To configure BFD, first enable the feature:

N7K1(config)# feature bfd

2014 Jul 12 18:43:07 N7K1 %BFD-5-BFD_ENABLED: BFD Enabled
Please disable the ICMP / ICMPv6 redirects on all IPv4 and IPv6 interfaces running BFD sessions using the command below

'no ip redirects '
'no ipv6 redirects ‘

Note that although this warning message prompts, you technically can configure BFD without disabling icmp redirects and the neighbor relationship will still form. Best practice is to disable icmp redirects, so if you haven’t done so already, might as well disable.

Now that BFD is enabled on the switch, we need to tell the protocol to use it. This can be enabled on any routing protocol, but here we’ll look at OSPF and EIGRP, since these are the only two listed on the CCIE:DC Lab Blueprint.

First, let’s look at EIGRP.

Configure BFD for EIGRP

We already have an EIGRP neighbor relationship formed between N7K1 and N7K2:

N7K1(config-router)# sho ip eigrp nei
IP-EIGRP neighbors for process 1 VRF default
H   Address                 Interface       Hold  Uptime  SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.190.190.2            Eth3/9          13   00:19:04  1    50    0   22  
 
N7K2(config-router)# show ip eigrp neighbors
IP-EIGRP neighbors for process 1 VRF default
H   Address                 Interface       Hold  Uptime  SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.190.190.1            Eth3/9          12   00:18:20  1    50    0   21

Currently we have no BFD neighbors:

N7K1# show bfd neighbors 
N7K1# 

Let’s enable BFD for EIGRP

N7K2:

N7K2(config-if)# router eigrp Instance1
N7K2(config-router)# bfd 

2014 Jul 12 18:49:46 N7K2 %BFD-5-SESSION_MOVED: BFD session 0x43000001: Installed on LC 3
2014 Jul 12 18:49:46 N7K2 %BFD-5-SESSION_CREATED: BFD session to neighbor 10.190.190.1 on interface Eth3/9 has been created

N7K2(config-router)# show bfd neighbors

OurAddr         NeighAddr       LD/RD                 RH/RS           Holdown(mult)     State       Int          Vrf                             
10.190.190.2    10.190.190.1    1124073473/0          Down            N/A(3)            Down        Eth3/9       default                         

Notice we now have a BFD neighbor, but the state is DOWN. Let’s configure N7K1:

N7K1(config-if)# router eigrp Instance1 
N7K1(config-router)# bfd

2014 Jul 12 18:50:08 N7K1 %BFD-5-SESSION_MOVED: BFD session 0x43000001: Installed on LC 3
2014 Jul 12 18:50:08 N7K1 %BFD-5-SESSION_CREATED: BFD session to neighbor 10.190.190.2 on interface Eth3/9 has been created
2014 Jul 12 18:50:10 N7K1 %BFD-5-SESSION_STATE_UP: BFD session 1124073473 to neighbor 10.190.190.2 on interface Eth3/9 is up.

Looks like our neighbor is up, let’s verify on N7K2:

N7K2(config-router)# show bfd neighbors

OurAddr         NeighAddr       LD/RD                 RH/RS           Holdown(mult)     State       Int          Vrf                             
10.190.190.2    10.190.190.1    1124073473/1124073473 Up              4494(3)           Up          Eth3/9       default 

 

It’s as simple as that! Now when a failure is detected, BFD will notify EIGRP so it can tear down the neighbor and begin the reconvergence process immediately.

Configure BFD for OSPF

To configure for OSPF, we follow nearly identical steps.

N7K1(config)# router ospf 10 
N7K1(config-router)# bfd

N7K2(config)# router ospf 10 
N7K2(config-router)# bfd
 
N7K1(config-router)# show bfd nei

OurAddr         NeighAddr       LD/RD                 RH/RS           Holdown(mult)     State       Int                   Vrf                             
10.190.190.1    10.190.190.2    1124073479/1124073477 Up              5596(3)           Up          Eth3/9                default   

Now for the fun part. Let’s see BFD in action, and compare BFD to standard OSPF detection.

Comparison of OSPF failure detection with/without BFD

Here is a rundown of what we’ll do to show the power of BFD:

Straight OSPF:
1. Create a simple ACL that denies all IP traffic
2. Apply the ACL to the OSPF interface
3. Monitor detection of the failure, and reconvergence time

OSFP with BFD:
1. Enable BFD for OSPF
2. Apply the ACL to the OSPF interface
3. Monitor detection of the failure, and reconvergence time

Straight OSPF:

First we will create the ACL:

N7K2(config)# ip access-list DENY_ALL
N7K2(config-acl)# deny ip any any

Now apply the ACL to the OSPF Interface, and immediately look at the clock:

N7K2(config)# interface ethernet 3/9
N7K2(config-if)# ip access-group DENY_ALL in

N7K2(config-if)# show clock
19:59:28.383 EST Sat Jul 12 2014

It’s been almost 30 seconds and we still have an OSPF adjacency. Let’s look at the OSPF neighbor detail:

N7K2(config-if)# show ip ospf neighbors detail
 Neighbor 10.0.255.1, interface address 10.190.190.1
    Process ID 10 VRF default, in area 0.0.0.0 via interface Ethernet3/9
    State is FULL, 4 state changes, last change 00:09:58
    Neighbor priority is 1
    DR is 10.190.190.2 BDR is 10.190.190.1
    Hello options 0x2, dbd options 0x42
    Last non-hello packet received never
      Dead timer due in 00:00:12

Ok, Dead timer is due in another 12 seconds. And, finally, after the default OSPF Dead timer of 40 seconds expires, here is our neighbor down update:

2014 Jul 12 19:59:56 N7K2 %OSPF-5-ADJCHANGE:  ospf-10 [7859]  Nbr 10.190.190.1 on Ethernet3/9 went DOWN 

Now, let’s compare this to BFD. Make sure the OSPF neighbors are restored and the ACL removed, then enable BFD on both N7Ks:

OSPF with BFD:

N7K2(config)# router ospf 10
N7K2(config-router)# bfd

N7K1(config)# router ospf 10
N7K1(config-router)# bfd

Re-apply the ACL:

N7K2(config)# interface e3/9
N7K2(config-if)# show clock
20:07:58.024 EST Sat Jul 12 2014

N7K2(config-if)# ip access-group DENY_ALL in
2014 Jul 12 20:07:59 N7K2 %BFD-5-SESSION_STATE_DOWN: BFD session 1124073479 to neighbor 10.190.190.1 on interface Eth3/9 has gone down. Reason: Echo Function Failed.
2014 Jul 12 20:07:59 N7K2 %OSPF-5-ADJCHANGE:  ospf-10 [7859]  Nbr 10.190.190.1 on Ethernet3/9 went DOWN
2014 Jul 12 20:07:59 N7K2 %BFD-5-SESSION_REMOVED: BFD session to neighbor 10.190.190.1 on interface Eth3/9 has been removed

Now that was quick! Notice the sub-second detection of a failure, and OSPF is notified, bringing the neighbor down without waiting of the dead timer to expire. Awesome!

You can optimize this even further by tweaking the BFD parameters; please refer to the NX-OS Interface Configuration Guide for more details. However, I am going to cover one additional topic here:

Securing BFD with SHA-1 Authentication

To configure SHA-1 authentication for the BFD session, you only need to configure this command on each neighbor interface:

bfd authentication keyed-sha1 keyid id key ascii_key

Let’s see an example. On N7K1, look at the current neighbor details and notice Authentication is set to “None” and the Authentication bit is set to “0”.

N7K1# sh bfd neighbors details

OurAddr         NeighAddr       LD/RD                 RH/RS           Holdown(mult)     State       Int                   Vrf                            
10.190.190.1    10.190.190.2    1124073483/1124073480 Up              5817(3)          Up          Eth3/9                default                        

Session state is Up and using echo function with 50 ms interval
Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: None
MinTxInt: 50000 us, MinRxInt: 2000000 us, Multiplier: 3
Received MinRxInt: 2000000 us, Received Multiplier: 3
Holdown (hits): 6000 ms (0), Hello (hits): 2000 ms (69)
Rx Count: 79, Rx Interval (ms) min/max/avg: 0/1792/1685 last: 182 ms ago
Tx Count: 69, Tx Interval (ms) min/max/avg: 1959/1959/1959 last: 1821 ms ago
Registered protocols:  ospf
Uptime: 0 days 0 hrs 2 mins 10 secs
Last packet: Version: 1                - Diagnostic: 0 
             State bit: Up             - Demand bit: 0 
             Poll bit: 0               - Final bit: 0 
             Multiplier: 3             - Length: 24 
             My Discr.: 1124073480     - Your Discr.: 1124073483 
             Min tx interval: 50000    - Min rx interval: 2000000 
             Min Echo interval: 50000  - Authentication bit: 0 
Hosting LC: 3, Down reason: None, Reason not-hosted: None

Now, configure BFD authentication on each adjacent neighbor interface.

N7K1(config-if)# bfd authentication keyed-SHA1 key-id 1 key MYBFDKEY 
 
N7K2(config-if)# bfd authentication keyed-SHA1 key-id 1 key MYBFDKEY  

Verify the session is now authenticated:

DC1-CORE(config-if)# sh bfd neighbors details

OurAddr         NeighAddr       LD/RD                 RH/RS           Holdown(mult)     State       Int                   Vrf                            
10.190.190.1    10.190.190.2    1124073483/1124073480 Up              5377(3)          Up          Eth3/9                default                        

Session state is Up and using echo function with 50 ms interval
Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: Keyed-SHA1
MinTxInt: 50000 us, MinRxInt: 2000000 us, Multiplier: 3
Received MinRxInt: 2000000 us, Received Multiplier: 3
Holdown (hits): 6000 ms (0), Hello (hits): 2000 ms (126)
Rx Count: 144, Rx Interval (ms) min/max/avg: 0/1792/1692 last: 622 ms ago
Tx Count: 126, Tx Interval (ms) min/max/avg: 1959/1959/1959 last: 1035 ms ago
Registered protocols:  ospf
Uptime: 0 days 0 hrs 4 mins 1 secs
Last packet: Version: 1                - Diagnostic: 0 
             State bit: Up             - Demand bit: 0 
             Poll bit: 0               - Final bit: 0 
             Multiplier: 3             - Length: 24 
             My Discr.: 1124073480     - Your Discr.: 1124073483 
             Min tx interval: 50000    - Min rx interval: 2000000 
             Min Echo interval: 50000  - Authentication bit: 1 
Hosting LC: 3, Down reason: None, Reason not-hosted: None 

Thanks for reading, happy studies!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s