Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3222
Views
0
Helpful
1
Comments

An Intro. to BGP and it's Message types with PCAP

Samer R. Saleem
Level 4
Level 4

‎07-13-2021 09:59 PM - edited ‎07-13-2021 10:31 PM

Introduction:

BGP stands for Border Gateway Protocol, as the name implies it is a protocol that works on our network border devices, BGP is a an application layer protocol and it does work with TCP protocol 179 to establish it's peering connection with neighbors.

BGP is the internet protocol, all external routing protocols that used and exchanged on the internet are with the help of BGP.

you can check BGP is "application" here:

BGP is application.PNG

 

as stated above ("ROUTING PROTOCOL IS APPLICATION"):

 

 BGP version4 does support Multi-protocol BGP which means address family "AFI" support and subordinates Family Address "SAFI" (IPv6, L2VPN, IPv4, VPNv4, VPNv6).

BGP RFC 4271 link > https://datatracker.ietf.org/doc/html/rfc4271 

You can see the BGP version from the command show ip bgp summary below under the letter "V":

BGP version 4.PNG

 

NOTE: BGP Version is not the same as BGP table version.


 

We are going to create a small lab for BGP using Cisco IOS and Cisco IOS-XE using GNS3.

This is going to be the topology:

Topology.PNG

 

As been mentioned that BGP uses TCP to establish connections with neighbors, check below pcap for the connection between two routers:

TCP 179.PNG

 

BGP messages exchanged between the Routers will be and of course will continue to be exchanged between the peers are:

1.OPEN messages (establishing TCP Connection)

2.UPDATES (Updates of prefixes advertised or withdrawn)

3.Keep Alive message (it is like a hello message to make sure peer is still alive)

4.Notification message(when error happen in the connections)

 

These messages can be seen in two ways:

1.Debug on the routers

2.Packet Capture 

 

We are going view both of them here below:

 

#debug BGP all

 

*Jul 10 06:15:19.833: BGP: ses global 12.12.12.2 (0x7FA8710B3168:0) pas Enhanced Refresh cap received in open message

    Line 2: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.1 (0x7FA84FFADDB0:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 4: *Jul 10 06:15:12.352: BGP: ses global 12.12.12.2 (0x7FA8710B2D08:1) Send NOTIFICATION 6/4 (Administrative Reset) 0 bytes
    Line 5: *Jul 10 06:15:12.352: %BGP-3-NOTIFICATION_MANY: sent to 2 sessions 6/4 (Administrative Reset) for all peers

 

 

CSR#debug ip bgp updates


*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, metric 0, merged path 2, AS_PATH
*Jul 10 06:21:01.715: BGP(0): 12.12.12.2 rcvd 123.123.123.1/32

 

*Jul 10 06:21:01.715: BGP(0): Revise route installing 1 of 1 routes for 123.123.123.1/32 -> 12.12.12.2(global) to main IP table
*Jul 10 06:21:01.717: BGP(0): 12.12.12.1 NEXT_HOP is on same subnet as the bgp peer and set to 12.12.12.2 for net 123.123.123.1/32, flags 200, sb: C0C0C00, mask: FFFFFF00
*Jul 10 06:21:01.717: BGP(0): (base) 12.12.12.1 send UPDATE (format) 123.123.123.1/32, next 12.12.12.2, metric 0, path 2
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd UPDATE w/ attr: nexthop 12.12.12.2, origin i, merged path 1 2, AS_PATH
*Jul 10 06:21:01.718: BGP(0): 12.12.12.1 rcvd 123.123.123.1/32

As you can see above, we have notification, updates, open message, below the keepalives>>>

 

#debug ip bgp keepalive

*Jul 10 06:22:43.252: BGP: 12.12.12.1 KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.252: BGP: 12.12.12.1 service 1 read request in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.990: BGP: 12.12.12.2 passive KEEPALIVE requested (rcv_open)
*Jul 10 06:22:43.990: BGP: ses global 12.12.12.2 (0x7FA879168DC8:0) pas service keepalive IO request.
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive KEEPALIVE write request serviced in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO
*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive service 2 read request in BGP_IO

 

*Jul 10 06:22:43.991: BGP: 12.12.12.2 passive received KEEPALIVE, length (excl. header) 0
*Jul 10 06:22:43.991: %BGP-5-ADJCHANGE: neighbor 12.12.12.2 Up

The other way is to use the PCAP using wireshark capturing on GNS3 (this is of course in lab environment):

pcap shot.PNG

 

 Let's check the update message here and see what does it contain.

Update message1.PNG

 

 As you can see here, the NLRI is being advertised in the update message and it has Router2 loopback prefix (2.2.2.2/32) as it is being sent to Router1.

 

Thanks and I hope this was useful

 

Samer R. Saleem

0 Helpful
Comments
GioacchinoInfanti
Level 1
Level 1
‎01-28-2024 11:04 AM

Very interesting article: may I just suggest you to give the right touch of professionalism to pay attention between it's and its?

Not knowing the meaning of "it's" (IT IS or IT HAS) and "its" (3rd person - personal pronoun) may cause confusion and may heavily impact the readibility and comprehension of the articles and the credibility of the author.

Take my extended comment as a way for you to improve :-), best of luck for the future.

Gio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents