Correct way to configure BFD for a BGP peer with VRF

kcslb92 · May 4, 2022, 8:39am

Hi All,

I’m wondering what is the correct way to create a BFD peer for a BGP peer that is using a VRF?

I have tried a number of different ways so far and none of them seem to work.

I am running 1.4-rolling-202204300743.

Here is some config for peers that are working (they are also peering via BGP) in the default VRF:

set protocols bfd profile nsx interval multiplier '3'
set protocols bfd profile nsx interval receive '500'
set protocols bfd profile nsx interval transmit '500'
set protocols bfd peer 10.255.217.3 profile 'nsx'
set protocols bfd peer 10.255.217.4 profile 'nsx'
set protocols bfd peer 10.255.217.19 profile 'nsx'
set protocols bfd peer 10.255.217.20 profile 'nsx'

Here are the different methods I’ve tried for configuring it for peers that exist in the RED vrf:

set vrf name RED protocols bgp neighbor 10.255.217.35 bfd profile 'nsx'

set protocols bfd peer 10.255.217.35 vrf 'RED'
set protocols bfd peer 10.255.217.35 profile 'nsx'

I’ve also tried:

Configuring them with no VRF (the same as the above working config) and it does not work (as expected).
Binding them to an interface or source address

The peers (10.255.217.35 in this case) are all reachable and BGP sessions are established in the respective VRFs (RED in this case).

Here’s some sample output to show a working and non working one:

admin@a-vrouter-01.spicy.meatballs:~$ show bfd peer 10.255.217.4
        peer 10.255.217.4 vrf default
                ID: 2148291320
                Remote ID: 4018823608
                Active mode
                Status: up
                Uptime: 12 minute(s), 12 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: configured
                Local timers:
                        Detect-multiplier: 3
                        Receive interval: 500ms
                        Transmission interval: 500ms
                        Echo receive interval: 50ms
                        Echo transmission interval: disabled
                Remote timers:
                        Detect-multiplier: 3
                        Receive interval: 500ms
                        Transmission interval: 500ms
                        Echo receive interval: disabled

admin@a-vrouter-01.spicy.meatballs:~$ show bfd peer 10.255.217.35
        peer 10.255.217.35 vrf RED
                ID: 1503595726
                Remote ID: 0
                Active mode
                Status: down
                Downtime: 11 minute(s), 15 second(s)
                Diagnostics: ok
                Remote diagnostics: ok
                Peer Type: configured
                Local timers:
                        Detect-multiplier: 3
                        Receive interval: 500ms
                        Transmission interval: 500ms
                        Echo receive interval: 50ms
                        Echo transmission interval: disabled
                Remote timers:
                        Detect-multiplier: 3
                        Receive interval: 1000ms
                        Transmission interval: 1000ms
                        Echo receive interval: disabled

I am certain that BFD is enabled on the remote peer (10.255.217.35) as well.

Can someone please provide some insight into what I’m doing wrong?

Regards,
Kane.

kcslb92 · May 4, 2022, 8:52am

Looking at some tcpdump out below:

admin@a-vrouter-01.spicy.meatballs:~$ monitor traffic interface RED filter "udp[2:2]==3784 && src 10.255.217.33 && dst 10.255.217.35"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on RED, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:50:25.976509 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:26.796735 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:27.556820 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:28.466886 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:29.326959 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:30.117253 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:30.867340 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:31.757421 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:50:32.507497 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
admin@a-vrouter-01.spicy.meatballs:~$ monitor traffic interface RED filter "udp[2:2]==3784 && src 10.255.217.35 && dst 10.255.217.33"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on RED, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:50:44.515313 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:45.375704 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:46.216103 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:47.105156 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:48.065876 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:49.056158 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:49.945261 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:50.716530 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:51.576900 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:50:52.536651 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24

You can see that the remote host (10.255.217.35) is trying to initialise the BFD session, whereas the vyos host (10.255.217.33) is sending a down.

Vyos is sending back an ICMP unreachable for port 3784 which also indicates it’s not working correctly:

admin@a-vrouter-01.spicy.meatballs:~$ monitor traffic interface RED filter "host 10.255.217.33"
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on RED, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:58:07.608580 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:58:07.608615 IP 10.255.217.33 > 10.255.217.35: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:07.947087 IP 10.255.217.36.62713 > 10.255.217.33.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:07.947128 IP 10.255.217.33 > 10.255.217.36: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:07.980390 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:08.448302 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:58:08.448335 IP 10.255.217.33 > 10.255.217.35: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:08.706641 IP 10.255.217.36.62713 > 10.255.217.33.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:08.706675 IP 10.255.217.33 > 10.255.217.36: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:08.880482 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:09.418180 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:58:09.418216 IP 10.255.217.33 > 10.255.217.35: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:09.486038 IP 10.255.217.36.62713 > 10.255.217.33.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:09.486088 IP 10.255.217.33 > 10.255.217.36: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:09.690786 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:10.239678 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:58:10.386929 IP 10.255.217.36.62713 > 10.255.217.33.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:10.386956 IP 10.255.217.33 > 10.255.217.36: ICMP 10.255.217.33 udp port 3784 unreachable, length 60
18:58:10.600881 IP 10.255.217.33.49176 > 10.255.217.35.3784: BFDv1, Control, State Down, Flags: [none], length: 24
18:58:11.069985 IP 10.255.217.35.64360 > 10.255.217.33.3784: BFDv1, Control, State Init, Flags: [none], length: 24
18:58:11.070029 IP 10.255.217.33 > 10.255.217.35: ICMP 10.255.217.33 udp port 3784 unreachable, length 60

Not sure if this helps at all.

Thanks,
Kane.

e.khudiyev · May 5, 2022, 1:26pm

Hi @kcslb92 , maybe this command can help: set vrf bind-to-all

kcslb92 · May 5, 2022, 1:46pm

Hi @e.khudiyev, that has worked. Can you please elaborate on what that command does and why it fixed things? Is that expected behaviour?

Thanks,
Kane.

e.khudiyev · May 5, 2022, 3:29pm

@kcslb92 briefly, this command allows to work services running under the default vrf across the non-default vrf (BFD in your case). You can check the description in documentation as well: VRF — VyOS 1.4.x (sagitta) documentation

system · May 7, 2022, 3:29pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.