Bi-Directional Forwarding Detection (Bfd); Configuring Bfd - Fortinet FortiGate Series Administration Manual

Router Dynamic

Bi-directional Forwarding Detection (BFD)

How BFD works

Configuring BFD

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic
routing protocols' lack of a fine granularity for detecting device failures on the network and
re-routing around those failures. BFD can more quickly react to these failures, since it
detects them on a millisecond timer, where other dynamic routing protocols can only
detect them on a second timer.
Your unit supports BFD as part of OSPF and BGP dynamic networking.
Note: You can configure BFD only from the CLI.
When you enable BFD on your FortiGate unit, BFD starts trying to connect to other routers
on the network. You can limit where BFD looks for routers by enabling one interface only,
and by enabling BFD for specific neighboring routers on the network.
Once the connection has been made, BFD will continue to send periodic packets to the
router to make sure it is still operational. These small packets are sent frequently.
If there is no response from the neighboring router within the set period of time, BFD on
your unit reports that router down and changes routing accordingly. BFD continues to try
to reestablish a connection with the non-responsive router.
Once that connection is reestablished, routes are reset to include the router once again.
BFD is intended for networks that use BGP or OSPF routing protocols. This generally
excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the
whole unit, and turn it off for one or two interfaces. Alternatively you can specifically
enable BFD for each neighbor router, or interface. Which method you choose will be
determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a connection as
down. The length of the timeout period is important—if it is too short connections will be
labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a
connection that is down. There is no easy number, as it varies for each network and unit.
High end FortiGate models will respond very quickly unless loaded down with traffic. Also
the size of the network will slow down the response time—packets need to make more
hops than on a smaller network. Those two factors (CPU load and network traversal time)
affect how long the timeout you select should be. With too short a timeout period, BFD will
not connect to the network device but it will keep trying. This state generates unnecessary
network traffic, and leaves the device unmonitored. If this happens, you should try setting
a longer timeout period to allow BFD more time to discover the device on the network.
Configuring BFD on your FortiGate unit
For this example, BFD is enabled on the FortiGate unit using the default values. This
means that once a connection is established, your unit will wait for up to 150 milliseconds
for a reply from a BFD router before declaring that router down and rerouting traffic—a 50
millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port
that BFD traffic originates from will be checked for security purposes as indicated by
disabling bfd-dont-enforce-src-port.
config system settings
Bi-directional Forwarding Detection (BFD)
375