← Back to posts
Networking

BFD Explained: How Bidirectional Forwarding Detection Makes BGP Failover Instant

By Travis · · 7 min read
#bgp#bfd#cisco#routing#high-availability#networking

The Problem: BGP Is Slow to Notice When Things Break

BGP was designed for inter-domain routing across the public internet — an environment where stability matters more than speed. The protocol uses a hold timer to detect peer failure: if a BGP speaker doesn’t receive a keepalive or update from its neighbor within the hold time (default 90 seconds), it declares the session down and withdraws all routes learned from that peer.

90 seconds. In a data center or enterprise WAN environment where applications expect sub-second failover, 90 seconds of packet loss is catastrophic.

You can reduce the BGP timers — setting keepalive to 1 second and hold time to 3 seconds is technically possible. But this creates its own problems. BGP keepalive processing is handled in the CPU’s routing process, not in the hardware forwarding plane. Under high CPU load (a BGP table update, a route reflector processing thousands of prefixes), keepalives can be delayed, triggering false positives — BGP sessions flapping when the underlying link is perfectly healthy.

The fundamental limitation is architectural: BGP’s failure detection operates at the control plane level. It can’t detect what’s happening in the hardware forwarding path.

The Solution: BFD Detects Failures in the Forwarding Plane

BFD (Bidirectional Forwarding Detection) is defined in RFC 5880 and was specifically designed to solve this problem. It’s a simple, lightweight hello protocol that operates independently of BGP (or any other routing protocol) and provides rapid failure detection at the forwarding plane level.

The core design is elegant:

  • BFD sessions run between network devices and exchange control packets at a configurable interval (commonly 300ms or even 50ms)
  • BFD is implemented close to the forwarding hardware — often in the line card or network processor itself, not in the main CPU
  • Because BFD operates at the data plane level, it detects actual forwarding failures, not just control plane delays
  • When BFD detects a failure, it notifies BGP (or OSPF, IS-IS, MPLS — any client protocol) immediately
  • BGP receives the notification and withdraws routes in milliseconds rather than waiting for hold timers to expire

The key insight: BFD offloads failure detection from BGP entirely. BGP timers can stay at their default values (preventing false positives under load), while BFD provides the fast detection.

How BFD Works

Session Establishment

BFD uses a three-way handshake to establish a session between two endpoints, similar to how BGP establishes a TCP session. The BFD session is independent — it has its own session state machine and runs even if the BGP session is down.

BFD packets are lightweight UDP datagrams sent to port 3784 (control packets) or 4784 (echo mode). Each packet contains:

  • My Discriminator: A locally generated identifier for this BFD session
  • Your Discriminator: The remote endpoint’s discriminator (learned from received packets)
  • State: Current session state (Down, Init, Up)
  • Detection Multiplier: How many missed packets before declaring failure
  • Desired Min TX Interval: How often this endpoint wants to send packets
  • Required Min RX Interval: Minimum interval at which this endpoint can receive packets

The actual tx interval is negotiated between peers: tx_interval = max(local_desired_tx, remote_required_rx).

Failure Detection Time

The detection time is calculated as:

Detection Time = tx_interval × detection_multiplier

With a tx interval of 300ms and a detection multiplier of 3:

Detection Time = 300ms × 3 = 900ms

With a tx interval of 50ms and detection multiplier of 3:

Detection Time = 50ms × 3 = 150ms

Sub-second detection is straightforward to achieve without stressing the CPU, since BFD is handled in the forwarding plane.

BFD Operating Modes

Asynchronous mode (most common): Both peers send BFD control packets continuously. If a peer misses detection_multiplier consecutive packets, it declares the session down.

Echo mode: One peer sends BFD echo packets that loop back through the forwarding path of the remote peer. This tests the actual data plane forwarding — if a packet can be forwarded, it comes back. Useful for detecting failures in the forwarding ASIC without requiring BFD support on the remote device.

Demand mode: Control packets are only sent on demand (when explicitly requested). Used for links where the forwarding path is already monitored by other means.

BFD on Cisco IOS-XE

Basic BFD Configuration

On IOS-XE, BFD is enabled per-interface and then registered with BGP via the neighbor statement:

! Enable BFD on the interface
interface GigabitEthernet0/0/1
  bfd interval 300 min_rx 300 multiplier 3

! Register BFD with BGP neighbor
router bgp 65001
  neighbor 10.0.0.2 fall-over bfd

The fall-over bfd command tells BGP to use BFD for this neighbor. If BFD detects the peer is down, BGP immediately tears down the session and withdraws routes — no waiting for hold timers.

Verifying BFD Sessions

! Check BFD session state
show bfd neighbors

! Detailed session info
show bfd neighbors details

! Check BFD neighbors registered with BGP
show bfd neighbors client bgp

! Sample output:
! IPv4 Sessions
! NeighAddr                              LD/RD         RH/RS     State     Int
! 10.0.0.2                               4097/4097     Up        Up        Gi0/0/1

The RH/RS field shows Remote Heard / Remote State. Both need to be Up for the session to be operational.

Tuning BFD Timers

interface GigabitEthernet0/0/1
  ! Aggressive: 150ms detection time
  bfd interval 50 min_rx 50 multiplier 3

  ! Conservative: 3 second detection time
  bfd interval 1000 min_rx 1000 multiplier 3

BFD on Cisco IOS-XR

IOS-XR uses a slightly different configuration syntax. BFD templates allow reusable configuration:

! Define a BFD profile (template)
bfd
  multipath include location 0/0/CPU0
!

! Configure BFD on the interface
interface GigabitEthernet0/0/0/1
  bfd mode ietf
  bfd address-family ipv4 timers start 5
  bfd address-family ipv4 minimum-interval 300
  bfd address-family ipv4 multiplier 3

! Register with BGP
router bgp 65001
  neighbor 10.0.0.2
    remote-as 65002
    bfd
    bfd fast-detect
    bfd minimum-interval 300
    bfd multiplier 3

Verifying on IOS-XR

! Check BFD summary
show bfd session

! Detailed per-session
show bfd session destination 10.0.0.2 detail

! Sample output:
! I/f: GigabitEthernet0/0/0/1, Location: 0/0/CPU0
! State: UP for 0d:2h:14m:32s, number of times UP: 1
! Session type: PR/V4/SH
! Received parameters:
!   Version: 1, desired tx interval: 300 ms, required rx interval: 300 ms
!   Required echo rx interval: 0 ms, multiplier: 3, diag: None
! Transmitted parameters:
!   Version: 1, desired tx interval: 300 ms, required rx interval: 300 ms
!   Multiplier: 3, diag: None

BFD on Cisco NX-OS

NX-OS requires the BFD feature to be enabled first:

! Enable BFD feature
feature bfd

! Configure BFD globally (optional defaults)
bfd interval 300 min_rx 300 multiplier 3

! Register with BGP
router bgp 65001
  neighbor 10.0.0.2
    remote-as 65002
    bfd

NX-OS also supports BFD for other protocols:

! BFD with OSPF
router ospf 1
  bfd

! BFD with IS-IS
router isis UNDERLAY
  bfd

! BFD with static routes
ip route 0.0.0.0/0 10.0.0.1 bfd 10.0.0.1 interval 300 min_rx 300 multiplier 3

Verifying on NX-OS

show bfd neighbors
show bfd neighbors detail
show bfd neighbors vrf all

Common BFD Use Cases

Data Center Leaf-Spine Fabric

In a VXLAN EVPN fabric, BFD is essential for fast convergence when a spine or uplink fails:

! On each leaf, enable BFD with all spine neighbors
router bgp 65000
  template peer SPINE-TEMPLATE
    bfd
    bfd-interval 300 min_rx 300 multiplier 3
  
  neighbor 10.0.0.101 inherit peer SPINE-TEMPLATE
  neighbor 10.0.0.102 inherit peer SPINE-TEMPLATE

When a spine goes offline, BFD detects the failure in 900ms and BGP immediately reroutes traffic through the remaining spine — instead of waiting 90 seconds for hold timers.

WAN Edge Routers

For dual-WAN or MPLS+Internet failover:

! Primary MPLS path
neighbor 10.1.1.1 remote-as 64512
neighbor 10.1.1.1 fall-over bfd

! Backup Internet path  
neighbor 203.0.113.1 remote-as 64513
neighbor 203.0.113.1 fall-over bfd

BFD for Static Routes

BFD can also track static routes — pulling down a static default route when the next-hop becomes unreachable:

! IOS-XE: track next-hop with BFD
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1

ip sla 1
  icmp-echo 10.0.0.1
  frequency 5

ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability

BFD Limitations to Know

Not a substitute for physical redundancy. BFD detects forwarding failures quickly, but failover still requires a redundant path. BFD with no alternate route still means an outage.

CPU-based BFD is less reliable. Some platforms run BFD in software rather than hardware offload. On these platforms, heavy CPU load can still cause BFD false positives. Always verify whether your hardware supports hardware-offloaded BFD.

BFD doesn’t traverse NAT or certain firewalls. The discriminator values in BFD packets are connection-specific. NAT or stateful firewalls that modify packet headers can break BFD sessions. BFD is typically used only between directly connected or one-hop-away peers.

Single-hop vs multi-hop. Standard BFD (RFC 5880) is designed for single-hop sessions between directly connected devices. Multi-hop BFD (RFC 5883) exists for BGP peers separated by multiple hops, but is less commonly supported and requires explicit configuration (bfd multihop on IOS-XE/XR).

The Bottom Line

BFD is one of the highest-leverage improvements you can make to any BGP deployment. The configuration overhead is minimal — a few extra lines per neighbor — and the operational benefit is massive: failures that previously caused 90 seconds of packet loss now cause 300-900 milliseconds.

For any BGP deployment where availability matters — data center fabrics, WAN edges, MPLS PE-CE connections — BFD should be standard configuration, not an afterthought.

// Found this useful? Share it or start a conversation.
Y Hacker News 𝕏 X in LinkedIn 🦋 Bluesky r/ Reddit
// Related More on similar topics.
Networking May 27, 2025

BGP Prefix Lists and Route Maps: The Complete Guide to Controlling What You Accept and Advertise

A comprehensive guide to prefix-lists and route-maps in Cisco BGP — what they do, how they differ from ACLs, when to use each, and practical configurations for inbound/outbound BGP policy.
Networking May 26, 2025

Autonomous System Numbers Explained: What ASNs Are, How They Work, and How to Get One

Everything you need to know about Autonomous System Numbers — what an AS is, the difference between public and private ASNs, how they work in BGP, 2-byte vs 4-byte ASNs, how to look one up, and the process for getting your own.
Networking May 13, 2025

BGP EVPN Route Types 1–5: What They Are and What They Do

A complete breakdown of all five BGP EVPN route types defined in RFC 7432 and RFC 8365 — what information each carries, when each is generated, and how they work together to build a VXLAN fabric.