Configure BFD in Secure Firewall Threat Defense with Flex-Config

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.5 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 26, 2023
Document ID:220641

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the BFD Protocol in Secure Firewall Management Center running 7.2 and earlier with Flex-Config.

    Prerequisites

    Border Gateway Protocol (BGP) configured in Cisco Secure Firewall Threat Defense (FTD) with Cisco Secure Firewall Management Center (FMC).

    Requirements

    Cisco recommends that you have knowledge of these topics:

    -BGP protocol
    -BFD concepts

    Components Used

    -Cisco Secure Firewall Management Center running 7.2 or earlier versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Bidirectional Forwarding Detection (BFD) is a detection protocol designed to provide fast-forwarding path failure detection times for all media types, encapsulations, topologies, and routing protocols.

    Configure

    BFD configurations in FMC running versions 7.2 and earlier must be configured with Flex-Config policies and objects.

    Step 1.

    Create the BFD template through Flexconfig Object.

    The BFD template specifies a set of BFD interval values. BFD interval values configured in the BFD template are not specific to a single interface. You can also configure authentication for single-hop and multi-hop sessions.

    To Create the Flex-Config object, select the Objects Tab at the top, click the FlexConfig option on the left column, then click the FlexConfig Object option and then click on Add FlexConfig Object.

    Flex-Config Object

    Step 2.

    Add the parameters needed for the BFD Protocol:

    The BFD template specifies a set of BFD interval values. BFD interval values configured in the BFD template are not specific to a single interface. You can also configure authentication for single-hop and multi-hop sessions.

    bfd-template [single-hop | multi-hop] template_name
    • single-hop - Specifies a single-hop BFD template.

    • multi-hop— Specifies a multi-hop BFD template.

    • template_name — Specifies the template name. The template name cannot contain spaces.

    • (Optional) Configure Echo on a single-hop BFD template.

    NoteYou can only enable Echo mode on a single-hop template.

    Configure the intervals in the BFD template:

    interval both milliseconds | microseconds {both | min-tx} microseconds | min-tx milliseconds echo

    • both—Minimum transmit and receive interval capability.

    • The interval in milliseconds. The range is 50 to 999.

    • microseconds—Specifies the BFD interval in microseconds forbothandmin-tx.

    • microseconds —The range is 50,000 to 999,000.

    • min-tx—The minimum transmit interval capability.

    Configure authentication in the BFD template:

    authentication {md5 | meticulous-mds | meticulous-sha-1 | sha-1}[0|8] wordkey-id id

    • authentication— Specifies the authentication type.

    • md5— Message Digest 5 (MD5) authentication.

    • meticulous-md5— Meticulous keyed MD5 authentication.

    • meticulous-sha-1— Meticulous keyed SHA-1 authentication.

    • sha-1— Keyed SHA-1 authentication.

    • 0|8—0 specifies that an UNENCRYPTED password follows. 8 specifies that an ENCRYPTED password follows.

    • word—The BFD password (key), which is a single-digit password/key of up to 29 characters. Passwords starting with a digit followed by a whitespace are not supported, for example, 0 pass and 1 are not valid.

    • key-id—The authentication Key ID.

    • id—The shared key ID that matches the key string. The range is 0 to 255 characters.

    Edit Flex Config Object

    Step 3.

    Associate the BFD Template with the interface.

    BFD SingleHop Object

    NoteAssociate the BFD multi-hop template with a map of destinations.

    Step 4 (Optional). 

    Create a BFD map containing destinations that you can associate with a multi-hop template. You must have a multi-hop BFD template already configured.

    Associate the BFD multi-hop template with a map of destinations:

    bfd map {ipv4 | ipv6} destination/cdir source/cdire template-name

    • ipv4— Configures an IPv4 address.

    • ipv6— Configures an IPv6 address.

    • destination/cdir — Specifies the destination prefix/length. The format is A.B.C.D/<0-32>.

    • source/cdir— Specifies the destination prefix/length. The format is X:X:X;X::X/<0-128>.

    • template-name — Specifies the name of the multi-hop template associated with this BFD map.

    Click the Save button to save the object.

    BFD Multi Hop Object

    Step 5.

    Click the Devices tab at the top, and select the FlexConfig option.

    Save Flex Config

    Step 6.

    To create a new FlexConfig Policy, click the New Policy button.

    Select Flex Config Policy

    Step 7.

    Name the policy and select the devices assigned to the policy. Click the Add to Policy then click the Savebutton.

    Devices on Flex Config Policy

    Step 8.

    Select the FlexConfig Object on the left column and click the > button to add the object to the FlexConfig Policy, and click the Save button.

    Assign Objects on Flex Config Policy

    Step 9.

    Click the Devices tab at the top and click the Device Management option.


    Save Flex Config Policy

    Step 10.

    Select the device where the BFD configuration is going to be assigned.

    Select Device to Config

    Step 11.

    Click the Routing tab, then click theIPv4 or IPv6, depending on your configuration in the BGP section on the left column, then click the Neighbor tab, and click the edit pencil button to edit it.

    Select Neighbor for the BFD

    Step 12.

    Select the checkbox for BFD fallover and click the OK button.

    BFD Fallover

    Step 13.

    Click the Deploy button, then click the Deployment button.

    Deployment Section

    Step 14.

    Select the device where the changes are going to be assigned by clicking the checkbox, and then click theDeploy button.

    Select Device to Deploy

    Step 15.

    Click the Deploy button.

    Deploy Confirmation

    Step 16.

    Click the Deploy button.

    Deploy Warnings

    Note: The warning is expected and it is just informational.

    Verify

     Verify the BFD configuration and the status directly on the CLI session with the next commands.

    > system support diagnostic-cli 
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

SF3130-A> enable
Password: 
SF3130-A# show running-config | inc bfd
bfd-template single-hop Template
 bfd template Template
  neighbor 172.16.10.2 fall-over bfd single-hop
                 
SF3130-A# show bfd summary
                    Session          Up          Down
Total               1                1           0           
 
SF3130-A# show bfd neighbors

IPv4 Sessions
NeighAddr                                       LD/RD         RH/RS       State   Int
172.16.10.2                                      1/1          Up

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    Revision History

    Revision Publish Date Comments
    1.0
    26-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Eder Pacheco
      Security Escalation Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products