Related Documentation
- ACX, J, M, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Understanding BFD Authentication for Static Routes
Example: Configuring BFD Authentication for Static Routes
This example shows how to configure Bidirectional Forwarding Detection (BFD) authentication for static routes.
Requirements
Junos OS Release 9.6 or later (Canda and United States version).
BFD authentication is only supported in the Canada and United States version of the Junos OS image and is not available in the export version.
Overview
You can configure authentication for BFD sessions running over IPv4 and IPv6 static routes. Routing instances and logical systems are also supported.
The following steps are needed to configure authentication on a BFD session:
- Specify the BFD authentication algorithm for the static route.
- Associate the authentication keychain with the static route.
- Configure the related security authentication keychain. This must be configured on the main router.
![]() | Tip: We recommend that you specify loose authentication checking if you are transitioning from nonauthenticated sessions to authenticated sessions. [edit]user@host> set routing-options static route ipv4 bfd-liveness-detection authentication loose-check |
Figure 1 shows the sample network.
Figure 1: Customer Routes Connected to a Service Provider

Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device B
DkP5Ft0IQFclev7N" set security authentication-key-chains key-chain bfd-kc4 key 5 start-time "2011-1-1.12:00:00 -0800"
Device D
DkP5Ft0IQFclev7N" set security authentication-key-chains key-chain bfd-kc4 key 5 start-time "2011-1-1.12:00:00 -0800"
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure BFD for static routes:
- On Device B, configure the interfaces.[edit interfaces]user@B# set ge-1/2/0 unit 0 description B->Duser@B# set ge-1/2/0 unit 0 family inet address 172.16.1.1/24
user@B# set lo0 unit 57 family inet address 10.0.0.1/32user@B# set lo0 unit 57 family inet address 10.0.0.2/32 - On Device B, create a static route and set the next-hop
address.[edit routing-options]user@B# set static route 192.168.47.0/24 next-hop 172.16.1.2
- On Device B, configure BFD for the static route.[edit routing-options]user@B# set static route 192.168.47.0/24 bfd-liveness-detection minimum-interval 1000
- On Device B, specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use for BFD authentication on the
static route.[edit routing-options]user@B# set static route 192.168.47.0/24 bfd-liveness-detection authentication algorithm keyed-sha-1
Note: Nonstop active routing (NSR) is not supported with the meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.
- On Device B, specify
the keychain to be used to associate BFD sessions on the specified
route with the unique security authentication keychain attributes.
This should match the keychain name configured at the [edit security authentication key-chains] hierarchy level.
[edit routing-options]user@B# set static route 192.168.47.0/24 bfd-liveness-detection authentication key-chain bfd-kc4 - On Device B, specify the unique security authentication
information for BFD sessions:
- The matching keychain name as specified in Step 5.
- At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.
- The secret data used to allow access to the session.
- The time at which the authentication key becomes active, in the format yyyy-mm-dd.hh:mm:ss.
[edit security authentication-key-chains key-chain bfd-kc4]user@B# set key 5 secret "$9$JhZHmn6Ap0In/9ApOcSs24oaZikPfT3wY24ZG.mz36AtOIEyMWxSrlKvM-dbs2a
DkP5Ft0IQFclev7N" user@B# set key 5 start-time "2011-1-1.12:00:00 -0800" - If you are done configuring Device B, commit the configuration.[edit]user@B# commit
- Repeat the configuration on Device D.
The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.
Results
Confirm your configuration by issuing the show interfaces, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Device B
DkP5Ft0IQFclev7N"; ## SECRET-DATAstart-time "2011-1-1.12:00:00 -0800";}}}
Verification
Confirm that the configuration is working properly.
- Verifying That BFD Sessions Are Up
- Viewing Details About the BFD Session
- Viewing Extensive BFD Session Information
Verifying That BFD Sessions Are Up
Purpose
Verify that the BFD sessions are up.
Action
From operational mode, enter the show bfd session command.
user@B> show bfd session
Detect Transmit Address State Interface Time Interval Multiplier 172.16.1.2 Up ge-1/2/0.0 3.000 1.000 3 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps
Meaning
The command output shows that the BFD session is up.
Viewing Details About the BFD Session
Purpose
View details about the BFD sessions and make sure that authentication is configured.
Action
From operational mode, enter the show bfd session detail command.
user@B> show bfd session detail
Detect Transmit Address State Interface Time Interval Multiplier 172.16.1.2 Up ge-1/2/0.0 3.000 1.000 3 Client Static, TX interval 1.000, RX interval 1.000, Authenticate Session up time 00:53:58 Local diagnostic NbrSignal, remote diagnostic None Remote state Up, version 1 Logical system 9, routing table index 22 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps
Meaning
In the command output, Authenticate is displayed to indicate that BFD authentication is configured.
Viewing Extensive BFD Session Information
Purpose
View more detailed information about the BFD sessions.
Action
From operational mode, enter the show bfd session extensive command.
user@B> show bfd session extensive
Address State Interface Time Interval Multiplier 172.16.1.2 Up ge-1/2/0.0 3.000 1.000 3 Client Static, TX interval 1.000, RX interval 1.000, Authenticate keychain bfd-kc4, algo keyed-sha-1, mode strict Session up time 01:39:45 Local diagnostic NbrSignal, remote diagnostic None Remote state Up, version 1 Logical system 9, routing table index 22 Min async interval 1.000, min slow interval 1.000 Adaptive async TX interval 1.000, RX interval 1.000 Local min TX interval 1.000, minimum RX interval 1.000, multiplier 3 Remote min TX interval 1.000, min RX interval 1.000, multiplier 3 Local discriminator 3, remote discriminator 4 Echo mode disabled/inactive Authentication enabled/active, keychain bfd-kc4, algo keyed-sha-1, mode strict 1 sessions, 1 clients Cumulative transmit rate 1.0 pps, cumulative receive rate 1.0 pps
Meaning
In the command output, Authenticate is displayed to indicate that BFD authentication is configured. The output for the extensive command provides the keychain name, the authentication algorithm, and the mode for each client in the session.
Related Documentation
- ACX, J, M, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Understanding BFD Authentication for Static Routes
Published: 2014-07-23
Related Documentation
- ACX, J, M, PTX, SRX, T Series, QFabric System, QFX Series standalone switches
- Understanding BFD Authentication for Static Routes