BGP default keepalive: 60 seconds. Hold time: 180 seconds. That’s 3 minutes before your router notices a peer is dead. Three minutes of blackholing traffic.
OSPF default dead interval: 40 seconds. Better, but still 40 seconds of packets going nowhere.
BFD (Bidirectional Forwarding Detection) runs alongside routing protocols, detecting failures in milliseconds. When BFD sees the neighbor is dead, it tells BGP/OSPF immediately. Failover happens in under a second.
Routing protocol keepalives are too slow. BFD fixes this.
How BFD Works
Normal state:Router A ←→ Router BBFD packets every 300msBoth routers: "Peer is alive"
Failure:Router A → X → Router B (link fails)Router A: No BFD response for 900ms (3 × 300ms)Router A: "Peer is dead, notify BGP/OSPF"BGP/OSPF: Immediately withdraw routesTotal detection time: ~1 secondBFD is protocol-independent. It just says “neighbor reachable” or “neighbor unreachable.” Routing protocols react to this signal.
BFD Timers
| Parameter | Description | Typical Value |
|---|---|---|
| interval | Time between BFD packets | 300ms |
| min-rx | Minimum receive interval | 300ms |
| multiplier | Missed packets before failure | 3 |
Detection time = interval × multiplier = 300ms × 3 = 900ms
Basic BFD Configuration
Enable BFD Globally
configure
# Define BFD profileset protocols bfd profile FAST interval 300set protocols bfd profile FAST min-rx 300set protocols bfd profile FAST multiplier 3
commitBFD with BGP
configure
# Configure BGP neighborset protocols bgp neighbor 10.0.0.2 remote-as 65002set protocols bgp neighbor 10.0.0.2 address-family ipv4-unicast
# Enable BFD for this neighborset protocols bgp neighbor 10.0.0.2 bfd
# Or with specific profileset protocols bgp neighbor 10.0.0.2 bfd profile FAST
commitBFD with OSPF
configure
# Configure OSPFset protocols ospf area 0 network 10.0.0.0/24
# Enable BFD for all OSPF neighbors (interface level)set protocols ospf interface eth0 bfd
# Or enable globally for all OSPF interfacesset protocols ospf parameters bfd all-interfaces
commitMultihop BFD
For eBGP peers not directly connected:
configure
# Multihop BGP neighborset protocols bgp neighbor 192.0.2.1 remote-as 65100set protocols bgp neighbor 192.0.2.1 ebgp-multihop 3
# Multihop BFD (specify source)set protocols bfd peer 192.0.2.1 source address 198.51.100.1set protocols bfd peer 192.0.2.1 multihopset protocols bfd peer 192.0.2.1 profile FAST
# Link BGP to BFD peerset protocols bgp neighbor 192.0.2.1 bfd
commitBFD Profiles
Create profiles for different use cases:
configure
# Aggressive (datacenter, low latency links)set protocols bfd profile AGGRESSIVE interval 100set protocols bfd profile AGGRESSIVE min-rx 100set protocols bfd profile AGGRESSIVE multiplier 3# Detection: 300ms
# Standard (most links)set protocols bfd profile STANDARD interval 300set protocols bfd profile STANDARD min-rx 300set protocols bfd profile STANDARD multiplier 3# Detection: 900ms
# Conservative (unstable links, prevent flapping)set protocols bfd profile CONSERVATIVE interval 1000set protocols bfd profile CONSERVATIVE min-rx 1000set protocols bfd profile CONSERVATIVE multiplier 5# Detection: 5 seconds
commitApply Profiles
# BGP neighbor with specific profileset protocols bgp neighbor 10.0.0.2 bfd profile AGGRESSIVE
# OSPF interface with specific profileset protocols ospf interface eth0 bfd profile STANDARDMonitoring BFD
View BFD Status
# Show all BFD peersshow bfd peers
# Output:# BFD Peers:# peer 10.0.0.2# ID: 1234567890# Status: up# Uptime: 2 hours 15 minutes# Diagnostics: ok# Local timers:# Interval: 300ms# Echo interval: disabled# Multiplier: 3# Remote timers:# Interval: 300ms# Multiplier: 3View BFD with Routing Protocol
# BGP neighbor with BFD statusshow bgp neighbors 10.0.0.2
# Look for:# BFD: enabled# BFD status: Up
# OSPF neighbor with BFDshow ip ospf neighbor
# BFD column shows: Up/DownBFD Counters
# Show BFD statisticsshow bfd peers counters
# Control packet statistics# Session state change countEcho Mode
BFD echo mode reduces CPU load by having the remote peer echo packets back:
configure
# Enable echo modeset protocols bfd peer 10.0.0.2 echo-mode
# Set echo intervalset protocols bfd peer 10.0.0.2 echo-interval 50
commitEcho Mode Considerations
- Lower CPU usage (echo packets handled in fast path)
- Requires symmetric forwarding
- May not work across some network devices
- Not available for multihop BFD
BFD and High Availability
BFD in Redundant Setup
ISP A | [10.0.0.2] | VyOS Router (BFD to both) | [10.0.1.2] | ISP Bconfigure
# Primary ISP - aggressive detectionset protocols bgp neighbor 10.0.0.2 remote-as 65001set protocols bgp neighbor 10.0.0.2 bfd profile AGGRESSIVE
# Backup ISP - also fast detectionset protocols bgp neighbor 10.0.1.2 remote-as 65002set protocols bgp neighbor 10.0.1.2 bfd profile AGGRESSIVE
commitWhen primary fails, BFD detects in ~300ms, BGP converges, backup takes over.
BFD with VRRP
BFD can trigger faster VRRP failover:
# Not directly integrated, but:# - BFD detects link failure# - Track script checks BFD status# - VRRP priority adjusted based on BFDTroubleshooting BFD
BFD Session Not Establishing
# Check if BFD packets are exchangedsudo tcpdump -i eth0 udp port 3784
# BFD control: UDP port 3784# BFD echo: UDP port 3785
# Common issues:# - Firewall blocking BFD ports# - Source address mismatch# - Timer mismatch (negotiation fails)BFD Flapping
# Session up/down repeatedlyshow log | grep -i bfd
# Causes:# - Timers too aggressive for link quality# - Congestion causing packet loss# - MTU issues
# Solution: Increase timersset protocols bfd profile STABLE interval 500set protocols bfd profile STABLE multiplier 5One-Way BFD
# BFD shows "Down" but packets sent
# Check for asymmetric routing# BFD packets might take different return path
# For multihop BFD, ensure:# - Source address configured correctly# - Routing is symmetric# - TTL is sufficientBFD Firewall Rules
If firewall is enabled, allow BFD:
configure
# Allow BFD control packetsset firewall ipv4 name ROUTER-IN rule 20 action acceptset firewall ipv4 name ROUTER-IN rule 20 protocol udpset firewall ipv4 name ROUTER-IN rule 20 destination port 3784set firewall ipv4 name ROUTER-IN rule 20 description "BFD Control"
# Allow BFD echo packetsset firewall ipv4 name ROUTER-IN rule 21 action acceptset firewall ipv4 name ROUTER-IN rule 21 protocol udpset firewall ipv4 name ROUTER-IN rule 21 destination port 3785set firewall ipv4 name ROUTER-IN rule 21 description "BFD Echo"
commitBest Practices
1. Match Timers on Both Sides
# Both routers should have compatible timers# BFD negotiates, but similar values work best
# Router Aset protocols bfd profile STANDARD interval 300set protocols bfd profile STANDARD min-rx 300set protocols bfd profile STANDARD multiplier 3
# Router B - same settings2. Consider Link Quality
# High-quality datacenter links# → Aggressive timers (100-300ms)
# WAN/Internet links# → Conservative timers (500ms-1s)
# Satellite/high-latency links# → Very conservative (1s+, higher multiplier)3. Don’t Be Too Aggressive
# 50ms timers sound great until:# - Minor congestion triggers failover# - Route flapping destabilizes network# - CPU can't keep up with BFD packets
# Start conservative, tune down if needed4. Monitor BFD State
# Alert on BFD state changes# Track BFD flapping frequency# Correlate with network eventsBFD Timer Calculation
Detection Time = interval × multiplier
Examples:100ms × 3 = 300ms detection300ms × 3 = 900ms detection500ms × 5 = 2.5s detection1000ms × 3 = 3s detection
Compare to:BGP default: 180 secondsOSPF default: 40 secondsThe Lesson
Routing protocol keepalives are too slow. BFD fixes this.
Without BFD:
- BGP: 180 seconds to detect dead peer
- OSPF: 40 seconds to detect dead neighbor
- Traffic blackholed during detection
With BFD:
- Detection in sub-second (300ms-1s typical)
- Routing protocols react immediately
- Failover happens before users notice
BFD is simple to configure, low overhead, and dramatically improves convergence time. Every production BGP session and OSPF adjacency should have BFD enabled.
The only question is timer values: aggressive for reliable links, conservative for flaky links. Start with 300ms/3, adjust based on your network.