Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Enabling Dedicated and Real-Time BFD on SRX Series Firewalls

By default, SRX Series Firewalls operate in centralized BFD mode. They also support distributed BFD, dedicated BFD, and real-time BFD.

Dedicated BFD

Enabling dedicated BFD impacts traffic throughput as one CPU core is removed from data plane processing.

To enable dedicated BFD on the SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, vSRX, and vSRX3.0 devices:

  1. Include the dedicated-ukern-cpu statement at the [edit chassis] hierarchy level and then commit the configuration.

    1. [edit]

    2. user@host# set chassis dedicated-ukern-cpu

      user@host# commit

      The following warning message to reboot the system displays when you commit the configuration:

      warning: Packet processing throughput may be impacted in dedicated-ukernel-cpu mode. warning: A reboot is required for dedicated-ukernel-cpu mode to be enabled. Please use "request system reboot" to reboot the system. commit complete

  2. Reboot the device to enable the configuration:

    1. user@host> request system reboot

  3. Verify that dedicated BFD is enabled.

    user@host> show chassis dedicated-ukern-cpu

    Dedicated Ukern CPU Status: Enabled

Real-Time BFD

Enabling real-time BFD does not impact data plane performance. Higher priority is given to the Packet Forwarding Engine process handling BFD in distributed mode. This is suitable for scenarios where less than half of the maximum number of BFD sessions are being used. See this list for the maximum number of BFD sessions supported per SRX device.

Note:

For more information about BFD in distributed mode, see Understanding How BFD Detects Network Failures.

To enable real-time BFD on SRX300, SRX320, SRX340, and SRX345 devices:

  1. Include the realtime-ukern-thread statement at the [edit chassis] hierarchy level and then commit the configuration.

    1. [edit]

    2. user@host# set chassis realtime-ukern-thread

      user@host# commit

      The following warning message to reboot the system displays when you commit the configuration:

      WARNING: realtime-ukern-thread is enable. Please use the command request system reboot.

  2. Reboot the device to enable the configuration:

    1. user@host> request system reboot

  3. Verify that real-time BFD is enabled.

    user@host> show chassis realtime-ukern-thread

    realtime Ukern thread Status: Enabled

BFD Support By SRX Platform

SRX Series Firewalls support the following maximum number of BFD sessions:

  • Up to four sessions on SRX300 and SRX320 devices.

  • Up to 50 sessions on SRX340, SRX345, and SRX380 devices.

  • Up to 120 sessions on SRX1500 devices.

On all SRX Series Firewalls, high CPU utilization triggered for reasons such as CPU intensive commands and SNMP walks causes the BFD protocol to flap while processing large BGP updates. (Platform support depends on the Junos OS release in your installation.)

SRX Series Firewalls operating in chassis cluster mode support only BFD centralized mode.

The table below shows the BFD modes supported on each SRX Series Firewall.

Table 1: BFD Modes Supported on SRX Series Firewalls

SRX Series Firewall

Centralized BFD Mode

Distributed BFD

Real-Time BFD

Dedicated Core

SRX300

Default

Configuration

Configuration (Optional)

Not supported

SRX320

Default

Configuration

Configuration (Optional)

Not supported

SRX340

Default

Configuration

Configuration

Configuration (Optional)

SRX345

Default

Configuration

Configuration

Configuration (Optional)

SRX380

Default

Configuration

Configuration

Configuration (Optional)
SRX1500 BFD failure detection time > 500 ms and dedicated mode is not enabled BFD failure detection time < 500 ms and dedicated mode is not enabled Not supported Configuration
SRX4100 BFD failure detection time > 500 ms BFD failure detection time < 500 ms Not supported Not supported
SRX4200 BFD failure detection time > 500 ms BFD failure detection time < 500 ms Not supported Not supported
SRX4600 BFD failure detection time > 500 ms BFD failure detection time < 500 ms Not supported Not supported

SRX5000 line of devices with SPC2 card

Default

Not supported

Not supported

Not supported

SRX5000 line of devices with SPC3 card

BFD failure detection time > 500 ms

BFD failure detection time < 500 ms

Not supported

Not supported

vSRX

Default

Not supported

Not supported

Not supported

Related Documentation