How to Configure Security Policies to Allow BFD
In some scenarios, for example, BFD is associated with interface status or a detected interface does not have an IP address, multicast packets are used to implement BFD. In these scenarios, you do not need to configure security policies.
After BFD is enabled, the devices at both ends of the link establish sessions through BFD control messages. After a BFD session is established, both ends send BFD control messages at the negotiated interval. If one end does not receive any BFD control message from the other end within the detection period, the session is considered interrupted. In this case, BFD works in asynchronous mode. BFD also can work in demand mode, in which control messages are sent only when necessary. Most vendors support the asynchronous BFD mode only. BFD control messages are encapsulated in UDP packets. According to RFC, the destination port number is 3784 for single-hop detection, and is 4784 for multi-hop detection.
By default, Huawei firewalls use UDP port 3784 for multi-hop detection. You can run the multi-hop destination-port 4784 command to change the port to the standard port.
In addition, the BFD Echo function is supported. The local end sends BFD Echo packets. The peer end returns the packets over the reverse channel without processing the packets. BFD Echo packets are encapsulated in UDP packets, and the destination port number is 3785.
The BFD Echo function supports only single-hop detection in the following scenarios:
- Passive echo: Both ends of a link support BFD but have different detection capabilities. For example, if the minimum interval for receiving BFD packets supported by device A is 30 ms and that supported by device B is 150 ms, device A can run only according to the detection capability of device B after negotiation. When the passive echo function is enabled after a BFD session is set up, BFD packets can be received at an interval of 30 ms. The source and destination IP addresses of BFD Echo packets are both the IP address of the local outbound interface, and the destination physical address is the physical address of the peer device.
- One-arm echo: The peer end of the link does not support BFD. The local end sends special BFD packets (the destination IP address in the IP header is the local IP address, and the source IP address is the local IP address or manually specified). After receiving the packets, the peer device directly loops them back to the local device to check whether the link is normal.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow BFD single-hop out |
Local |
Untrust |
10.1.1.10/24 |
10.1.1.1/24 |
bfd-control (UDP: 3784) |
permit |
102 |
Allow BFD single-hop in |
Untrust |
Local |
10.1.1.1/24 |
10.1.1.10/24 |
bfd-control (UDP: 3784) |
permit |
103 |
Allow BFD multi-hop out |
Local |
Untrust |
10.1.1.10/24 |
10.1.2.1/24 |
UDP: 4784 |
permit |
104 |
Allow BFD multi-hop in |
Untrust |
Local |
10.1.1.1/24 |
10.1.1.10/24 |
UDP: 4784 |
permit |
105 |
Allow BFD echo out |
Local |
Untrust |
10.1.1.10/24 |
10.1.1.10/24 |
bfd-echo (UDP: 3785) |
permit |
106 |
Allow BFD echo in |
Untrust |
Local |
10.1.1.10/24 |
10.1.1.10/24 |
bfd-echo (UDP: 3785) |
permit |
If a firewall is deployed on the multi-hop detection path, security policies need to be configured in both directions on the firewall to allow UDP packets to be transmitted to port 4784.