VPP/VPP BFD Nexus
This example shows how to configure Bi-direction Forwarding Detection between VPP and a Cisco Nexus 6000 switch.
In this example we have:
A box running VPP with an Intel Niantic (X520/825990) NIC - visible as TenGigabitEthernet5/0/1 in VPP connected to the Nexus switch's Eth/1/3/3 interface.
For this test we assume that subnets 10.0.0/24 and 10.10.10.10/28 are not used.
Configure Interfaces
Configure the IP addresses on both VPP:
DBGvpp# set int ip address TenGigabitEthernet5/0/1 10.0.0.2/24 DBGvpp# set int state TenGigabitEthernet5/0/1 up
and Nexus:
zglab-nexus-1# conf t Enter configuration commands, one per line. End with CNTL/Z. zglab-nexus-1(config)# interface Ethernet 1/3/3 zglab-nexus-1(config-if)# no switchport zglab-nexus-1(config-if)# ip address 10.0.0.1/24 zglab-nexus-1(config-if)# end zglab-nexus-1#
Test
We should now be able to ping the nexus from VPP and vice versa:
DBGvpp# ping 10.0.0.1 repeat 5 64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=.5994 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=.5058 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=.5259 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=.5494 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=255 time=.5433 ms Statistics: 5 sent, 5 received, 0% packet loss zglab-nexus-1# ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2): 56 data bytes 64 bytes from 10.0.0.2: icmp_seq=0 ttl=63 time=0.637 ms 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.492 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=63 time=0.503 ms 64 bytes from 10.0.0.2: icmp_seq=3 ttl=63 time=0.475 ms 64 bytes from 10.0.0.2: icmp_seq=4 ttl=63 time=0.441 ms --- 10.0.0.2 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 0.441/0.509/0.637 ms
Configure BFD
We now configure the BFD feature on nexus:
zglab-nexus-1(config)# feature bfd Please disable the ICMP redirects on all interfaces running BFD sessions using the command below 'no ip redirects ' zglab-nexus-1(config)# interface Ethernet 1/3/3 zglab-nexus-1(config-if)# no ip redirects zglab-nexus-1(config-if)# bfd interval 100 min_rx 100 multiplier 3 zglab-nexus-1(config-if)# bfd neighbor src-ip 10.0.0.1 dest-ip 10.0.0.2
Check the state of the BFD session on nexus:
zglab-nexus-1# show bfd neighbors details OurAddr NeighAddr LD/RD RH/RS Holdown(mult) State Int Vrf 10.0.0.1 10.0.0.2 1090519041/0 Down N/A(3) Down Eth1/3/3 default Session state is Down and not using echo function Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: None MinTxInt: 2000000 us, MinRxInt: 2000000 us, Multiplier: 3 Received MinRxInt: 0 us, Received Multiplier: 3 Holdown (hits): 0 ms (0), Hello (hits): 2000 ms (10) Rx Count: 0, Rx Interval (ms) min/max/avg: 0/0/0 last: 21064 ms ago Tx Count: 10, Tx Interval (ms) min/max/avg: 1944/1944/1944 last: 1564 ms ago Registered protocols: bfd_app Downtime: 0 days 0 hrs 0 mins 21 secs Last packet: Version: 0 - Diagnostic: 0 State bit: AdminDown - Demand bit: 0 Poll bit: 0 - Final bit: 0 Multiplier: 3 - Length: 24 My Discr.: 0 - Your Discr.: 0 Min tx interval: 0 - Min rx interval: 0 Min Echo interval: 0 - Authentication bit: 0 Down reason: No Diagnostic, Reason not-hosted: None
now we configure the session in VPP:
DBGvpp# bfd udp session add interface TenGigabitEthernet5/0/1 local-addr 10.0.0.2 peer-addr 10.0.0.1 desired-min-tx 100000 required-min-rx 100000 detect-mult 3
if we are quick enough (e.g. by doing a copy paste), we can see the session in the down state:
DBGvpp# show bfd sessions Index Property Local value Remote value 0 IPv4 address 10.0.0.2 10.0.0.1 Session state Down Down Diagnostic code No Diagnostic No Diagnostic Detect multiplier 3 0 Required Min Rx Interval (usec) 100000 1 Desired Min Tx Interval (usec) 100000 0 Transmit interval 1000000 Min Echo Rx Interval (usec) 1 0 Demand mode no no Poll state BFD_POLL_NOT_NEEDED Number of configured BFD sessions: 1
before it goes up:
DBGvpp# show bfd sessions Index Property Local value Remote value 0 IPv4 address 10.0.0.2 10.0.0.1 Session state Up Up Diagnostic code No Diagnostic No Diagnostic Detect multiplier 3 3 Required Min Rx Interval (usec) 100000 2000000 Desired Min Tx Interval (usec) 100000 100000 Transmit interval 2000000 Last control frame tx .14s ago Last control frame rx .04s ago Min Echo Rx Interval (usec) 1 100000 Demand mode no no Poll state BFD_POLL_NOT_NEEDED Number of configured BFD sessions: 1
we can also verify the session state on Nexus:
zglab-nexus-1# show bfd neighbors details OurAddr NeighAddr LD/RD RH/RS Holdown(mult) State Int Vrf 10.0.0.1 10.0.0.2 1090519041/2530806747 Up 5288(3) Up Eth1/3/3 default Session state is Up and using echo function with 100 ms interval Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: None MinTxInt: 100000 us, MinRxInt: 2000000 us, Multiplier: 3 Received MinRxInt: 100000 us, Received Multiplier: 3 Holdown (hits): 6000 ms (1), Hello (hits): 100 ms (837) Rx Count: 48, Rx Interval (ms) min/max/avg: 217/1976/3879 last: 711 ms ago Tx Count: 837, Tx Interval (ms) min/max/avg: 95/95/95 last: 70 ms ago Registered protocols: bfd_app Uptime: 0 days 0 hrs 1 mins 19 secs Last packet: Version: 1 - Diagnostic: 0 State bit: Up - Demand bit: 0 Poll bit: 0 - Final bit: 0 Multiplier: 3 - Length: 24 My Discr.: -1764160549 - Your Discr.: 1090519041 Min tx interval: 100000 - Min rx interval: 100000 Min Echo interval: 1 - Authentication bit: 0 Down reason: None, Reason not-hosted: None
We can get more aggressive detection by using the echo feature, for which we need an echo source interface configured in VPP:
DBGvpp# loop create loop0 DBGvpp# set int state loop0 up DBGvpp# set int ip address loop0 10.10.10.10/28 DBGvpp# bfd udp echo-source set interface loop0
Then the BFD will quickly start to use the echo feature as a supplement - note the new properties in the CLI output: Echo transmit interval and Last echo frame tx/roundtrip time
DBGvpp# show bfd sessions Index Property Local value Remote value 0 IPv4 address 10.0.0.2 10.0.0.1 Session state Up Up Diagnostic code No Diagnostic No Diagnostic Detect multiplier 3 3 Required Min Rx Interval (usec) 100000 2000000 Desired Min Tx Interval (usec) 100000 100000 Transmit interval 2000000 Last control frame tx .81s ago Last control frame rx .81s ago Min Echo Rx Interval (usec) 1 100000 Echo transmit interval 100000 Last echo frame tx .08s ago Last echo frame roundtrip time .000048s Demand mode no no Poll state BFD_POLL_NOT_NEEDED Number of configured BFD sessions: 1
Session authentication
Now we will set authentication for the BFD control frames with the goal of not distrupting the current session state. For that, we will first add the authentication key to vpp:
DBGvpp# bfd key set conf-key-id 1 type keyed-sha1 secret 68656c6c6f20776f726c64
we are entering the secret as hex-string, with the secret being "hello world" string.
Now we activate the authentication in VPP with the delayed option:
DBGvpp# bfd udp session auth activate interface TenGigabitEthernet5/0/1 local-addr 10.0.0.2 peer-addr 10.0.0.1 conf-key-id 1 bfd-key-id 5 delayed yes
we can see that the authentication is not in use yet:
DBGvpp# show bfd sessions Index Property Local value Remote value 0 IPv4 address 10.0.0.2 10.0.0.1 Session state Up Up Diagnostic code No Diagnostic No Diagnostic Detect multiplier 3 3 Required Min Rx Interval (usec) 100000 2000000 Desired Min Tx Interval (usec) 100000 100000 Transmit interval 2000000 Last control frame tx 1.78s ago Last control frame rx .77s ago Min Echo Rx Interval (usec) 1 100000 Echo transmit interval 100000 Last echo frame tx 0.00s ago Last echo frame roundtrip time .000032s Demand mode no no Poll state BFD_POLL_NOT_NEEDED Number of configured BFD sessions: 1
Now we configure the authentication on the Nexus side:
zglab-nexus-1# conf t Enter configuration commands, one per line. End with CNTL/Z. zglab-nexus-1(config)# interface ethernet 1/3/3 zglab-nexus-1(config-if)# bfd authentication Keyed-SHA1 key-id 5 hex-key 68656c6c6f20776f726c64 end
shortly, vpp will recognize now-signed control frames coming from nexus and will switch to using the authentication (and signing outgoing frames) itself:
DBGvpp# show bfd sessions Index Property Local value Remote value 0 IPv4 address 10.0.0.2 10.0.0.1 Session state Init Down Diagnostic code No Diagnostic No Diagnostic Detect multiplier 3 3 Required Min Rx Interval (usec) 100000 100000 Desired Min Tx Interval (usec) 100000 100000 Transmit interval 100000 Last control frame tx .05s ago Last control frame rx .13s ago Min Echo Rx Interval (usec) 1 100000 Demand mode no no Poll state BFD_POLL_NOT_NEEDED Authentication config key ID 1 Authentication BFD key ID 5 Sequence number 1011200656 1431422116 Number of configured BFD sessions: 1
we see that the authentication key information appeared and we can also see the sequence numbers.
Finally we check whether the session state was disturbed on nexus:
zglab-nexus-1# show bfd neighbors details OurAddr NeighAddr LD/RD RH/RS Holdown(mult) State Int Vrf 10.0.0.1 10.0.0.2 1090519041/2530806747 Up 5921(3) Up Eth1/3/3 default Session state is Up and using echo function with 100 ms interval Local Diag: 0, Demand mode: 0, Poll bit: 0, Authentication: Keyed-SHA1 MinTxInt: 100000 us, MinRxInt: 2000000 us, Multiplier: 3 Received MinRxInt: 1000000 us, Received Multiplier: 3 Holdown (hits): 6000 ms (1), Hello (hits): 1000 ms (20929) Rx Count: 10203, Rx Interval (ms) min/max/avg: 217/2000/1750 last: 78 ms ago Tx Count: 20929, Tx Interval (ms) min/max/avg: 895/895/895 last: 684 ms ago Registered protocols: bfd_app Uptime: 0 days 4 hrs 55 mins 49 secs Last packet: Version: 1 - Diagnostic: 0 State bit: Up - Demand bit: 0 Poll bit: 0 - Final bit: 0 Multiplier: 3 - Length: 24 My Discr.: -1764160549 - Your Discr.: 1090519041 Min tx interval: 100000 - Min rx interval: 1000000 Min Echo interval: 1 - Authentication bit: 1 Down reason: None, Reason not-hosted: None
we verify by checking the uptime that it wasn't.
Similarly, we could remove the authentication without disturbing the session state by deactivating it on vpp side with the "delayed yes" option and then deactivating it on the nexus side.