Configure BFD over ExpressRoute

ExpressRoute supports Bidirectional Forwarding Detection (BFD) both over private and Microsoft peering. By enabling BFD over ExpressRoute, you can expedite link failure detection between Microsoft Enterprise edge (MSEE) devices and the routers on which you terminate the ExpressRoute circuit (CE/PE). You can terminate ExpressRoute over Customer Edge routing devices or Partner Edge routing devices (if you went with managed Layer 3 connection service). This document walks you through the need for BFD, and how to enable BFD over ExpressRoute.

Need for BFD

The following diagram shows the benefit of enabling BFD over ExpressRoute circuit: 1

You can enable ExpressRoute circuit either by Layer 2 connections or managed Layer 3 connections. In either case, if there are one or more Layer-2 devices in the ExpressRoute connection path, responsibility of detecting any link failures in the path lies with the overlying BGP.

On the MSEE devices, BGP keepalive and hold-time are typically configured as 60 and 180 seconds respectively. Therefore, following a link failure it would take up to three minutes to detect any link failure and switch traffic to alternate connection.

You can control the BGP timers by configuring lower BGP keepalive and hold-time on the customer edge peering device. If the BGP timers are mismatched between the two peering devices, the BGP session between the peers would use the lower timer value. The BGP keepalive can be set as low as three seconds, and the hold-time in the order of tens of seconds. However, setting BGP timers aggressively is less preferable because the protocol is process intensive.

In this scenario, BFD can help. BFD provides low-overhead link failure detection in a subsecond time interval.

Enabling BFD

BFD is configured by default under all the newly created ExpressRoute private peering interfaces on the MSEEs. Therefore, to enable BFD, you need to just configure BFD on your CEs/PEs (both on your primary and secondary devices). Configuring BFD is two-step process: you need to configure the BFD on the interface and then link it to the BGP session.

An example CE/PE (using Cisco IOS XE) configuration is shown below.

interface TenGigabitEthernet2/0/0.150
   description private peering to Azure
   encapsulation dot1Q 15 second-dot1q 150
   ip vrf forwarding 15
   ip address
   bfd interval 300 min_rx 300 multiplier 3

router bgp 65020
   address-family ipv4 vrf 15
      network mask
      neighbor remote-as 12076
      neighbor fall-over bfd
      neighbor activate
      neighbor soft-reconfiguration inbound


To enable BFD under an already existing private peering; you need to reset the peering. See Reset ExpressRoute peerings

BFD Timer Negotiation

Between BFD peers, the slower of the two peers determine the transmission rate. MSEEs BFD transmission/receive intervals are set to 300 milliseconds. In certain scenarios, the interval may be set at a higher value of 750 milliseconds. By configuring higher values, you can force these intervals to be longer; but, not shorter.


If you have configured Geo-redundant ExpressRoute circuits or use Site-to-Site IPSec VPN connectivity as backup; enabling BFD would help failover quicker following an ExpressRoute connectivity failure.

Next Steps

For more information or help, check out the following links: