BFD for Dynamic Routing Protocols
In addition to BFD for static routes, the firewall supports
BFD for the BGP, OSPF, and RIP routing protocols.
The Palo Alto Networks implementation of multihop
BFD follows the encapsulation portion of
RFC 5883,
Bidirectional
Forwarding Detection (BFD) for Multihop Paths but does not
support authentication. A workaround is to configure BFD in a VPN
tunnel for BGP. The VPN tunnel can provide authentication without
the duplication of BFD authentication.
When you enable BFD for OSPFv2 or OSPFv3 broadcast interfaces,
OSPF establishes a BFD session only with its Designated Router (DR)
and Backup Designated Router (BDR). On point-to-point interfaces,
OSPF establishes a BFD session with the direct neighbor. On point-to-multipoint
interfaces, OSPF establishes a BFD session with each peer.
The firewall does not support BFD on an OSPF or OSPFv3 virtual
link.
Each routing protocol can have independent BFD sessions on an
interface. Alternatively, two or more routing protocols (BGP, OSPF,
and RIP) can share a common BFD session for an interface.
When you enable BFD for multiple protocols on the same interface,
and the source IP address and destination IP address for the protocols
are also the same, the protocols share a single BFD session, thus
reducing both dataplane overhead (CPU) and traffic load on the interface.
If you configure different BFD profiles for these protocols, only
one BFD profile is used: the one that has the lowest Desired
Minimum Tx Interval. If the profiles have the same Desired
Minimum Tx Interval, the profile used by the first created
session takes effect. In the case where a static route and OSPF
share the same session, because a static session is created right
after a commit, while OSPF waits until an adjacency is up, the profile
of the static route takes effect.
The benefit of using a single BFD session in these cases is that
this behavior uses resources more efficiently. The firewall can
use the saved resources to support more BFD sessions on different
interfaces or support BFD for different source IP and destination
IP address pairs.
IPv4 and IPv6 on the same interface always create different BFD
sessions, even though they can use the same BFD profile.
If you implement both BFD for BGP and HA path
monitoring, Palo Alto Networks recommends you not implement BGP
Graceful Restart. When the BFD peer’s interface fails and path monitoring
fails, BFD can remove the affected routes from the routing
table and synchronize this change to the passive HA firewall before
Graceful Restart can take effect. If you decide to implement BFD
for BGP, Graceful Restart for BGP, and HA path monitoring, you should
configure BFD with a larger Desired Minimum Tx Interval and larger
Detection Time Multiplier than the default values.