>
    Test Case: Layer 3 BFD Based CN-GW Failure Handling
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Test Case: Layer 3 BFD Based CN-GW Failure Handling
    Download PDF
    CN-Series

    Test Case: Layer 3 BFD Based CN-GW Failure Handling

    Table of Contents

    Test Case: Layer 3 BFD Based CN-GW Failure Handling

    Where Can I Use This?
    What Do I Need?
    • CN-Series HSF Firewall deployment
    • CN-Series 11.0.x or above Container Images
    • Panorama
       running PAN-OS 11.0.x or above version
    This test evaluates the BFD configuration required to handle CN-GW failures. A BFD profile handles CN-GW failures on the Upstream/Downstream routers.
    Symmetric Traffic Flow
    • If the ingress traffic interface is CN-GW 1, the route lookup to find the egress interface is on LR1.
      • Route 1: Destination: Client subnet; Next-hop: R1
      • Route 2: Destination: Server subnet; Next-hop: LR2
    • If the ingress traffic interface is CN-GW 2, the route lookup to find the egress interface is on LR2.
      • Route 1: Destination: Client subnet; Next-hop: R1
      • Route 2: Destination: Server subnet; Next-hop: R2
    Asymmetric Traffic Flow
    CN-Series HSF supports asymmetric traffic flow too. For example, Client to Server traffic matching session 1 flowing through CN-GW 1 and Server to Client traffic matching session 1 flowing through CN-GW 2. For asymmetric traffic flow, all interfaces facing R1 must be in the same zone. Similarly, all interfaces facing R2 must be in the same zone.
    Inter LR Routing
    For example, if the ingress traffic interface is CN-GW 1, route lookup to find the egress interface is on LR1. If there is a route to reach Server with the next-hop as LR2, then CN-NGFW will send the traffic to LR2. Based on CN-GW 2 LR2 route lookup, packet will be sent to the Server.
    1. Go to
      Network
      Routing
      Routing Profiles
      BFD
      , then select the variable template from the
      Template
       drop-down.
      You must enable BFD on external routers and logical routers.
    2. Click
      Add
       to add for the BFD profile.
    3. Enter a
      Name
      .
    4. Select the
      Mode
       in which BFD operates:
      • Active
        —BFD initiates sending control packets to peer (default). At least one of the BFD peers must be Active; both can be Active.
      • Passive
        —BFD waits for peer to send control packets and responds as required.
    5. Enter the
      Desired Minimum Tx Interval (ms)
      . This is the minimum interval, in milliseconds, at which you want the BFD protocol (referred to as BFD) to send BFD control packets; you are thus negotiating the transmit interval with the peer.
    6. Enter the
      Detection Time Multiplier
      . The local system calculates the detection time as the
      Detection Time Multiplier
       received from the remote system multiplied by the agreed transmit interval of the remote system (the greater of the
      Required Minimum Rx Interval
       and the last received
      Desired Minimum Tx Interval
      ). If BFD does not receive a BFD control packet from its peer before the detection time expires, a failure has occurred. Range is 2 to 50; default is 3.
    7. Enter the
      Hold Time (ms)
      . This is the delay, in milliseconds, after a link comes up before BFD transmits BFD control packets.
      Hold Time
       applies to BFD Active mode only. If BFD receives BFD control packets during the
      Hold Time
      , it ignores them. Range is 0-120000, default is 0.
    8. Select
      Multihop
       to enable BFD over BGP multihop. Enter the
      Minimum Rx TTL
      .This is the minimum Time-to-Live value (number of hops) BFD will accept (receive) in a BFD control packet when BGP supports multihop BFD. (Range is 1-254; there is no default).
    9. Click
      OK
       to save the BFD profile.
    10. Configure static routes for the logical router.
      1. Go to
        Network
        Routing
        Logical Router
        , then select the variable template from the
        Template
         drop-down.
      2. Select the
        Static
        IPv4
         tab and click
        Add
        .
      3. Enter a
        Name
         for the static route.
      4. Enter the
        Destination
         route and netmask. For example, 192.168.200.0/24.
      5. Select the outgoing interface for packets to use to go to the next hop.
      6. For
        Next Hop
        , select
        ip-address
         and enter the IP address of your internal gateway. For example, 192.168.100.2.
      7. Enter an
        Admin Distance
         for the route to override the default administrative distance set for static routes for this logical router (range is 10 to 240; default is 10).
      8. Enter a
        Metric
         for the route (range is 1 to 65,535).
      9. Apply the
        BFD Profile
         created in previous steps to the static route so that if the static route fails, the firewall removes the route and uses an alternative route.
      10. Click
        OK
        .
    The BFD configuration takes care of CN-GW and path failures. In the following traffic flow diagram, consider two SSH sessions between Client and Server. Session 1 is flowing through path 1and Session 2 is flowing through path 2. If the CN-GW 1 or path 1 is down, the BFD configuration between R1 and CN-GW 1, R2 and CN-GW 1 helps R1identify the path failure and sends the traffic through path 2. The interfaces facing R1 must be in the same zone. Similarly, interfaces facing R2 must be in the same zone.
    Route 1: Destination: Client subnet; Next-hop is R1, Metric 10
    Route 2: Destination: Server subnet; Next-hop is LR2, Metric 11

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.