>
    Test Case: Layer 3 BFD Based CN-GW Failure Handling
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Test Case: Layer 3 BFD Based CN-GW Failure Handling
    Download PDF
    CN-Series

    Test Case: Layer 3 BFD Based CN-GW Failure Handling

    Table of Contents

    Test Case: Layer 3 BFD Based CN-GW Failure Handling

    Where Can I Use This?What Do I Need?
    • CN-Series HSF Firewall deployment
    • CN-Series 11.0.x or above Container Images
    • Panorama running PAN-OS 11.0.x or above version
    This test evaluates the BFD configuration required to handle CN-GW failures. A BFD profile handles CN-GW failures on the Upstream/Downstream routers.
    Symmetric Traffic Flow
    • If the ingress traffic interface is CN-GW 1, the route lookup to find the egress interface is on LR1.
      • Route 1: Destination: Client subnet; Next-hop: R1
      • Route 2: Destination: Server subnet; Next-hop: LR2
    • If the ingress traffic interface is CN-GW 2, the route lookup to find the egress interface is on LR2.
      • Route 1: Destination: Client subnet; Next-hop: R1
      • Route 2: Destination: Server subnet; Next-hop: R2
    Asymmetric Traffic Flow
    CN-Series HSF supports asymmetric traffic flow too. For example, Client to Server traffic matching session 1 flowing through CN-GW 1 and Server to Client traffic matching session 1 flowing through CN-GW 2. For asymmetric traffic flow, all interfaces facing R1 must be in the same zone. Similarly, all interfaces facing R2 must be in the same zone.
    Inter LR Routing
    For example, if the ingress traffic interface is CN-GW 1, route lookup to find the egress interface is on LR1. If there is a route to reach Server with the next-hop as LR2, then CN-NGFW will send the traffic to LR2. Based on CN-GW 2 LR2 route lookup, packet will be sent to the Server.
    1. Go to NetworkRouting Routing Profiles BFD, then select the variable template from the Template drop-down.
      You must enable BFD on external routers and logical routers.
    2. Click Add to add for the BFD profile.
    3. Enter a Name.
    4. Select the Mode in which BFD operates:
      • Active—BFD initiates sending control packets to peer (default). At least one of the BFD peers must be Active; both can be Active.
      • Passive—BFD waits for peer to send control packets and responds as required.
    5. Enter the Desired Minimum Tx Interval (ms). This is the minimum interval, in milliseconds, at which you want the BFD protocol (referred to as BFD) to send BFD control packets; you are thus negotiating the transmit interval with the peer.
    6. Enter the Detection Time Multiplier. The local system calculates the detection time as the Detection Time Multiplier received from the remote system multiplied by the agreed transmit interval of the remote system (the greater of the Required Minimum Rx Interval and the last received Desired Minimum Tx Interval). If BFD does not receive a BFD control packet from its peer before the detection time expires, a failure has occurred. Range is 2 to 50; default is 3.
    7. Enter the Hold Time (ms). This is the delay, in milliseconds, after a link comes up before BFD transmits BFD control packets. Hold Time applies to BFD Active mode only. If BFD receives BFD control packets during the Hold Time, it ignores them. Range is 0-120000, default is 0.
    8. Select Multihop to enable BFD over BGP multihop. Enter the Minimum Rx TTL.This is the minimum Time-to-Live value (number of hops) BFD will accept (receive) in a BFD control packet when BGP supports multihop BFD. (Range is 1-254; there is no default).
    9. Click OK to save the BFD profile.
    10. Configure static routes for the logical router.
      1. Go to NetworkRouting Logical Router, then select the variable template from the Template drop-down.
      2. Select the Static IPv4 tab and click Add.
      3. Enter a Name for the static route.
      4. Enter the Destination route and netmask. For example, 192.168.200.0/24.
      5. Select the outgoing interface for packets to use to go to the next hop.
      6. For Next Hop, select ip-address and enter the IP address of your internal gateway. For example, 192.168.100.2.
      7. Enter an Admin Distance for the route to override the default administrative distance set for static routes for this logical router (range is 10 to 240; default is 10).
      8. Enter a Metric for the route (range is 1 to 65,535).
      9. Apply the BFD Profile created in previous steps to the static route so that if the static route fails, the firewall removes the route and uses an alternative route.
      10. Click OK.
    The BFD configuration takes care of CN-GW and path failures. In the following traffic flow diagram, consider two SSH sessions between Client and Server. Session 1 is flowing through path 1and Session 2 is flowing through path 2. If the CN-GW 1 or path 1 is down, the BFD configuration between R1 and CN-GW 1, R2 and CN-GW 1 helps R1identify the path failure and sends the traffic through path 2. The interfaces facing R1 must be in the same zone. Similarly, interfaces facing R2 must be in the same zone.
    Route 1: Destination: Client subnet; Next-hop is R1, Metric 10
    Route 2: Destination: Server subnet; Next-hop is LR2, Metric 11

    © 2024 Palo Alto Networks, Inc. All rights reserved.