CN-Series
Test Case: Layer 3 BFD Based CN-GW Failure Handling
Table of Contents
Expand All
|
Collapse All
CN-Series Firewall Docs
-
-
- Deployment Modes
- HSF
- In-Cloud and On-Prem
-
-
-
Test Case: Layer 3 BFD Based CN-GW Failure Handling
Where Can I Use This? | What Do I Need? |
---|---|
|
|
This test evaluates the BFD configuration required to handle CN-GW failures. A BFD
profile handles CN-GW failures on the Upstream/Downstream routers.
Symmetric Traffic Flow
- If the ingress traffic interface is CN-GW 1, the route lookup to find the egress
interface is on LR1.
- Route 1: Destination: Client subnet; Next-hop: R1
- Route 2: Destination: Server subnet; Next-hop: LR2
- If the ingress traffic interface is CN-GW 2, the route lookup to find the egress
interface is on LR2.
- Route 1: Destination: Client subnet; Next-hop: R1
- Route 2: Destination: Server subnet; Next-hop: R2
Asymmetric Traffic Flow
CN-Series HSF supports asymmetric traffic flow too. For example, Client to Server
traffic matching session 1 flowing through CN-GW 1 and Server to Client traffic
matching session 1 flowing through CN-GW 2. For asymmetric traffic flow, all
interfaces facing R1 must be in the same zone. Similarly, all interfaces facing R2
must be in the same zone.
Inter LR Routing
For example, if the ingress traffic interface is CN-GW 1, route lookup to find the
egress interface is on LR1. If there is a route to reach Server with the next-hop as
LR2, then CN-NGFW will send the traffic to LR2. Based on CN-GW 2 LR2 route lookup,
packet will be sent to the Server.
- Go to NetworkRouting Routing Profiles BFD, then select the variable template from the Template drop-down.You must enable BFD on external routers and logical routers.Click Add to add for the BFD profile.Enter a Name.Select the Mode in which BFD operates:
- Active—BFD initiates sending control packets to peer (default). At least one of the BFD peers must be Active; both can be Active.
- Passive—BFD waits for peer to send control packets and responds as required.
Enter the Desired Minimum Tx Interval (ms). This is the minimum interval, in milliseconds, at which you want the BFD protocol (referred to as BFD) to send BFD control packets; you are thus negotiating the transmit interval with the peer.Enter the Detection Time Multiplier. The local system calculates the detection time as the Detection Time Multiplier received from the remote system multiplied by the agreed transmit interval of the remote system (the greater of the Required Minimum Rx Interval and the last received Desired Minimum Tx Interval). If BFD does not receive a BFD control packet from its peer before the detection time expires, a failure has occurred. Range is 2 to 50; default is 3.Enter the Hold Time (ms). This is the delay, in milliseconds, after a link comes up before BFD transmits BFD control packets. Hold Time applies to BFD Active mode only. If BFD receives BFD control packets during the Hold Time, it ignores them. Range is 0-120000, default is 0.Select Multihop to enable BFD over BGP multihop. Enter the Minimum Rx TTL.This is the minimum Time-to-Live value (number of hops) BFD will accept (receive) in a BFD control packet when BGP supports multihop BFD. (Range is 1-254; there is no default).Click OK to save the BFD profile.Configure static routes for the logical router.- Go to NetworkRouting Logical Router, then select the variable template from the Template drop-down.Select the Static IPv4 tab and click Add.Enter a Name for the static route.Enter the Destination route and netmask. For example, 192.168.200.0/24.Select the outgoing interface for packets to use to go to the next hop.For Next Hop, select ip-address and enter the IP address of your internal gateway. For example, 192.168.100.2.Enter an Admin Distance for the route to override the default administrative distance set for static routes for this logical router (range is 10 to 240; default is 10).Enter a Metric for the route (range is 1 to 65,535).Apply the BFD Profile created in previous steps to the static route so that if the static route fails, the firewall removes the route and uses an alternative route.Click OK.The BFD configuration takes care of CN-GW and path failures. In the following traffic flow diagram, consider two SSH sessions between Client and Server. Session 1 is flowing through path 1and Session 2 is flowing through path 2. If the CN-GW 1 or path 1 is down, the BFD configuration between R1 and CN-GW 1, R2 and CN-GW 1 helps R1identify the path failure and sends the traffic through path 2. The interfaces facing R1 must be in the same zone. Similarly, interfaces facing R2 must be in the same zone.Route 1: Destination: Client subnet; Next-hop is R1, Metric 10Route 2: Destination: Server subnet; Next-hop is LR2, Metric 11