BFD for Dynamic Routing Protocols
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
BFD for Dynamic Routing Protocols
In addition to BFD for static routes, the firewall supports
BFD for the BGP, OSPF, and RIP routing protocols.
The Palo Alto Networks
®
implementation
of multihop BFD follows the encapsulation portion of RFC 5883, Bidirectional Forwarding Detection (BFD) for
Multihop Paths but does not support authentication. A workaround
is to configure BFD in a VPN tunnel for BGP. The VPN tunnel can
provide authentication without the duplication of BFD authentication.When you enable BFD for OSPFv2 or OSPFv3 broadcast interfaces,
OSPF establishes a BFD session only with its Designated Router (DR)
and Backup Designated Router (BDR). On point-to-point interfaces,
OSPF establishes a BFD session with the direct neighbor. On point-to-multipoint
interfaces, OSPF establishes a BFD session with each peer.
The firewall does not support BFD on an OSPF or OSPFv3 virtual
link.
Each routing protocol can have independent BFD sessions on an
interface. Alternatively, two or more routing protocols (BGP, OSPF,
and RIP) can share a common BFD session for an interface.
When you enable BFD for multiple protocols on the same interface,
and the source IP address and destination IP address for the protocols
are also the same, the protocols share a single BFD session, thus
reducing both dataplane overhead (CPU) and traffic load on the interface.
If you configure different BFD profiles for these protocols, only
one BFD profile is used: the one that has the lowest
Desired
Minimum Tx Interval
. If the profiles have the same Desired
Minimum Tx Interval
, the profile used by the first created
session takes effect. In the case where a static route and OSPF
share the same session, because a static session is created right
after a commit, while OSPF waits until an adjacency is up, the profile
of the static route takes effect.The benefit of using a single BFD session in these cases is that
this behavior uses resources more efficiently. The firewall can
use the saved resources to support more BFD sessions on different
interfaces or support BFD for different source IP and destination
IP address pairs.
IPv4 and IPv6 on the same interface always create different BFD
sessions, even though they can use the same BFD profile.
If you implement both BFD for BGP and HA path
monitoring, Palo Alto Networks recommends you not implement BGP
Graceful Restart. When the BFD peer’s interface fails and path monitoring
fails, BFD
can
remove the affected routes from the routing
table and synchronize this change to the passive HA firewall before
Graceful Restart can take effect. If you decide to implement BFD
for BGP, Graceful Restart for BGP, and HA path monitoring, you should
configure BFD with a larger Desired Minimum Tx Interval and larger
Detection Time Multiplier than the default values.